Artificial Intelligence is a booming business these days, no one will argue that. But I think we should be arguing about whether or not we’re ready for it as a user base. OpenAI’s new browser, Atlas, has debuted and immediately fallen vulnerable to prompt injection, an exploit that appears legitimate, but is actually a command to override or ignore security protocols. And Atlas is not alone. Perplexity Comet and Opera Neon have also admitted to susceptibility to this particular vulnerability.
AI browsers are agentic, meaning they operate and complete tasks autonomously, including interacting with websites instead of just pulling them up for the user to choose. Frankly, this is already a red flag to me from a security standpoint. If the browser cannot tell the difference between a legitimate URL and user intent then of course it’s going to become vulnerable to malicious prompts. ‘My browser fell for a phishing campaign’ is not far behind with that lack of human oversight or decision making process.
I have likened LLM functionality to letting a toddler perform surgery before, and this is the end result. AI cannot think, it can only aggregate data and formulate its reply based upon percentages and whatever the most common answer it collates is. For instance, this is why spellcheckers using AI have started including spelling options that are wrong, because so many people make the same typo it calculates that that spelling must be correct. It’s a digital lemming going over a cliff; everyone else is doing it, so it should too.
There’s talk about refining safeguards, that this is a ‘frontier security problem that the entire industry is grappling with’ (source: Perplexity security team). It’s not. This is a foundational coding issue. Having the omnibox function as both address bar and search bar is the underlying problem, one that has become endemic to browsers regardless of type. Not that long ago, the search and address bars were separate. Separate commands, separate results. Sure, one could still copy and paste a URL into the address bar and take themselves to a compromised website, but that was on them and not an inherent vulnerability of the function of their system.
Given the overall lack of understanding in how digital devices actually work and the further reduced computer literacy that social engineering relies upon, it’s incredibly naive to think that this was going to end any other way. The average user’s experience is not comparable to a programmer’s or developer’s. Failure to take that into consideration is leading us rapidly down a path of a running before we can walk with AI. That feels like having to point out the obvious, and yet, here I am, having to point it out. Threat actors have already factored user gullibility and ignorance into their equation. Phishing exists, after all.
AI browser vulnerable to prompt injection. Yeah, and fork found in kitchen.
Posted on LinkedIn, 10/27/25