How to Use AI-Powered Browsers Without Getting Hacked

Over the past few days, I’ve been exploring all the AI-enabled browsers available to me. So far, I’ve completed general research tasks on Perplexity Comet and successfully used ChatGPT Atlas to navigate the Amazon checkout. I even spent some time getting to know the new Dia browser from Arc .
While researching these browsers, I was constantly mindful of the numerous security risks: the most obvious threat is malicious prompt injection, where malicious AI prompts are hidden in the HTML source code of a website or browser extension. But there are also cases where AI agents act without user permission, accessing their authorized accounts. Furthermore, AI-powered browsers can transfer data between browser tabs and provide user credentials through a clever prompt, even without using malicious code.
But despite the risks, there are legal ways to experiment with AI-powered browsers without compromising your privacy. In fact, most such browsers have additional features that can be enabled to enhance security and prevent apps from accessing data beyond what’s necessary. If you’re considering using an AI-powered browser on your device, here’s what you need to know to protect yourself.
What makes AI-powered browsers a security threat?
A standard web browser can only open a page upon your request. You still decide which websites to visit and which buttons to interact with. In AI-powered browsers, such as Atlas or Comet, the browsers themselves scan and analyze the webpage, summarize the information, and even act autonomously, performing tasks in agent mode. These features make AI-powered browsers very convenient for everyday use, but they also make them vulnerable to new threats, as attackers can now much more easily manipulate the browser to access your accounts and data.
The most common example is AI injection, as attackers simply need to hide malicious instructions on websites for this to work. Even OpenAI’s official documentation warns against using Atlas with production data due to concerns about AI injection. Worse, AI injection attacks don’t require you to take any action to compromise the site. Simply navigate to a webpage where these AI instructions are hidden in multiple layers of source code. You won’t even see the malicious instructions while browsing the webpage, but your browser will read the invisible instructions and automatically execute them, without asking for your confirmation or consent.
The Brave security team used several hint injection attacks to demonstrate the problems with Comet’s Perplexity, later dubbed CometJacking . In one specific case, Comet obtained a user’s email address, extracted a one-time password from their inbox, and forwarded it to the attacker undetected. This was accomplished simply by requesting a summary of a Reddit thread containing malicious hints.
Similar vulnerabilities were also discovered in ChatGPT Atlas. Security researcher Johann Rehberger was able to switch the browser from light mode to dark mode using a simple command hidden in a Word document he asked the browser to read. As LayerX explains , Atlas is also susceptible to cross-site request forgery (CSRF) attacks, where a malicious webpage can send instructions to your browser as if you’d typed them yourself. Furthermore, AI-powered browsers don’t use the same blocklists and heuristics as traditional browsers to flag known phishing sites, so they’re more likely to allow you to access a scammer’s site without blocking it. LayerX claims that Atlas users are 90% more susceptible to such attacks than Chrome or Edge users.
Automated payments carry a direct financial risk. Although AI-powered browsers are relatively new, Amazon has already secured a court order preventing users from completing payments on its websites using Comet, as this system is known to bypass certain security measures implemented to prevent financial fraud.
Enable built-in browser settings to improve security.
AI-powered browsers contain too many vulnerabilities and loopholes for typical use, but that doesn’t mean you can’t use them without risking your data. There are numerous built-in privacy settings you can enable for additional protection, as well as some general guidelines for safe browsing that can be particularly helpful. Before using an AI-powered browser, make sure it’s properly configured to address the most common vulnerabilities commonly exploited by attackers. Here’s what I’ve found to be most effective.
Disable data sharing to prevent AI-enabled browsers from training models on your data.
Almost every AI-powered browser uses your browsing patterns and search history to train future versions of its AI models, essentially improving by learning from your everyday tasks. This means that all your browsing data is sent to browser developers by default unless you specifically opt out. Fortunately, browsers that train models on your data also provide the option to disable this training, at least in paid plans. This is always the first feature you should disable if you use AI-powered browsers.
-
ChatGPT Atlas: Go to Settings > Data Management and disable “Improve model for everyone” to disable model training. Here you can also selectively prevent ChatGPT from using your browsing history or chat audio recordings for model training.
-
Perplexity Comet: Go to the new tab > Account > Settings . Disable saving AI data to opt out of model training in Perplexity.
-
Dia: In the browser window, go to Settings > Privacy . Turn off the ” Share content data to improve Dia” option.
Prevent the browser from accessing your authorized sessions.
As we saw with Comet, AI-powered browsers can be used to access your accounts on various websites and obtain sensitive information by injecting hints. Depending on the level of access, they can also access your accounts to perform certain actions without your knowledge, such as sending an email or downloading a file.
In ChatGPT Atlas, you can specifically deny AI access to your authorized sessions in agent mode, forcing it to request your credentials every time it needs to log in to your email account or social media profile. While there’s no exact equivalent to this feature in Comet or Dia, these browsers also offer controls that allow you to determine the level of access your agent can have.
-
ChatGPT Atlas: When creating a new chat in ChatGPT Atlas, select “Agent” mode from the “+” menu. A drop-down menu will appear next to the “+” menu, allowing you to switch between “Online” and “Offline” states to control the AI agent’s access to your browser cookies when you’re logged in. If you remain unlogged in, Atlas won’t be able to access your active sessions by default, instead prompting you to log in manually if your task requires access to a user account.
-
Perplexity Comet: Comet doesn’t have a universal switch to restrict access to active sessions. Perplexity notes that Comet doesn’t have access to your passwords, as they’re stored only in your operating system’s storage, but it can still use your active sessions to extract sensitive information from your accounts or perform tasks using those accounts. Therefore, it’s best to use incognito mode when logging into any websites using Comet to avoid remaining logged in after you log out.
-
Dia: Like Atlas and Comet, Dia is also vulnerable to CSRF attacks, hint injection, and memory poisoning, which allow hackers to hijack your account sessions. Like Comet, Dia doesn’t have a dedicated inactive mode, and by default, the AI has access to all your sessions to automate web tasks. Once again, remember to use your browser’s incognito mode when logged in. You can also go to “Privacy & Security” > “Clear Browsing Data” at dia://settings/ to delete existing session cookies and sign out of all active accounts.
Disable persistent memory unless you really need it.
In standard instruction injection attacks, AI-powered browsers read the attacker’s instructions and execute them only once. However, there’s a more sophisticated form of instruction injection known as memory poisoning. Attackers inject malicious instructions into your browser’s account-specific memory, which persists across all your devices in each session. For example, an attacker might use memory poisoning to trick your browser into replaying your most recent emails daily, rather than just once when it reads malicious instructions. Hackers can use this tactic to compromise your data and hijack access across multiple devices where you use the same AI-powered browser, posing an even greater threat to cross-platform browsers like Comet and Dia.
-
ChatGPT Atlas: Go to Settings > Personalization . Disable “Browser Memory Usage” to prevent ChatGPT from storing your previous chat sessions. This will effectively prevent the program from improving its performance by learning from your data, and also protect you from attacks that specifically target this feature. OpenAI notes that ChatGPT Atlas has built-in security filters that limit access to sensitive information, such as ID cards, bank account or credit card numbers, and Social Security numbers. However, disabling browser memory entirely provides much greater security. If this seems too drastic, you can also use incognito mode when performing any tasks you don’t want stored in browser memory, or go to Settings > Personalization > Browser Memory to delete or archive unnecessary memories.
-
Perplexity Comet: To clear your browsing history, cache, and cookies, go to comet://settings/ > Privacy & Security > Delete Browsing Data . To delete saved AI Memories from your Perplexity account, go to the New Tab page > Account > Settings > Memories , where you can disable saving Memories by disabling “Use Search History” and “Notes .” You can also tap “Manage Memories” to edit or delete specific Memories.
-
Dia: If you click the “Personalize” button in a new tab, Dia will take you to a page where you can customize memory usage. Disable “Personalize new chats” to prevent Dia from using your existing memory when starting new conversations. If you want to completely clear or disable memory saving, go to Settings > Memory , then click “Reset Memory” or “Disable Memory.”
Restrict agent access to sensitive sites.
In Atlas, hard-coded default restrictions prevent the browser from running code, downloading files, installing extensions, or accessing your device’s file system. Comet and Dia offer more flexible options, though both systems provide some protection against your agents handling sensitive financial data by default. But if you want to go further, you can disable agents’ access to sensitive websites, such as banking and healthcare platforms, preventing them from viewing or performing actions on these sites. This will completely protect you from code injection attacks targeting these platforms.
-
ChatGPT Atlas: Go to Settings > Personalization . You’ll see the option ” ChatGPT Page Visibility.” Clicking this allows you to add a list of websites that your agents won’t be able to access or perform any actions on, even if prompted. However, you’ll still be able to access these sites manually through your browser.
-
Comet Perplexity: You can fine-tune Comet’s permissions to prevent it from performing certain tasks on specific websites. Go to Settings > Privacy & Security , then look under Comet Assistant to find the option to “Block personal searches for these websites.” This will give you more control over which websites Comet can visit and interact with, as well as whether it can access your browser history by default.
-
Dia: You can go to dia://settings/ > Privacy and Security > Site Settings to manage permissions for each site individually. However, this won’t prevent agents from viewing data on these sites. To prevent Dia from accessing data from sensitive sites, it’s best to simply avoid logging into personal accounts except in incognito mode.
Here are some additional tips for keeping AI safe in your browser.
In general, the less data and permissions your browser agent has access to, the less damage it can cause during an attack. In addition to the built-in security settings described above, I recommend following some general guidelines when using browsers like Atlas, Comet, or Dia:
-
For most everyday tasks, continue using your regular browser, such as Chrome or Firefox. Create a separate profile for AI-enabled browsers, without sensitive login information, dedicated solely to AI-related tasks.
-
Don’t download AI-enabled browsers or AI-enabled browser extensions from unofficial sources or third-party app stores. Hackers distribute a lot of fake and malicious software in this area, so use only official sources to reduce the risk of infection.
-
Avoid accessing user-generated content platforms like Reddit using your AI-powered browser, as they are fertile ground for code injection attacks. However, if you must do so, be sure to restrict your agents’ access to any data on these sites.
-
Don’t copy and paste long text strings or URLs into your AI-enabled browser without checking them first. Attackers can disguise their attempts to inject suggestions into longer URLs. This is a very common vulnerability used by hackers to attack the Omnibox in the Atlas browser , which is a combination search bar and suggestion bar.
-
When running multi-step workflows, always monitor what the agent is doing and use the pause or interrupt controls to stop any suspicious activity as soon as you notice it.
-
For sensitive platforms like financial websites or corporate communication apps, enable two-factor authentication on your account to prevent employees from logging in without your knowledge.