Another study pops the hype bubble surrounding AI browsers by revealing significant security vulnerabilities.
Four widely-used AI browsers are vulnerable to data theft from other open tabs.
AI browsers are marketed as the next major advancement, capable of summarizing content, booking trips, and even making purchases on your behalf. However, a recent study from the University of Washington discovered that four out of the seven most popular AI browsers pose a significant security risk, allowing malicious websites to extract data from other open sites. The more advanced the browser, the higher the associated risk.
The 30-year security rule that AI browsers violate
Every browser since 1995 has adhered to a principle known as the same-origin policy, which prevents websites from accessing each other’s data. For instance, if you are using your banking site in one tab while visiting a dubious site in another, that dubious site cannot access your banking information. AI browsers need to override this policy to function properly, as they require access to multiple tabs to perform tasks.
This broader access can be exploited by attackers in two ways. The first, prompt injection, involves a malicious webpage embedding secret commands that the AI agent executes unknowingly, which might expose private emails, passwords, or calendar events.
The second method is memory poisoning, where embedded commands are saved in the agent's memory and activated later, even after the original page is closed. Researchers successfully executed a proof-of-concept attack on ChatGPT Atlas, highlighting the reality of the threat. Claude for Chrome was identified as particularly dangerous due to its browser extension allowing direct code injection into webpages.
Which AI browsers are secure, and which ones compromise your data?
Among the seven browsers examined, ChatGPT Atlas, Chrome with Gemini, Claude for Chrome, and Perplexity Comet were deemed vulnerable. In contrast, Microsoft Edge with Copilot, Brave Leo, and Firefox AI Mode exhibited better security features, although Firefox was also noted as being the least capable.
The researchers shared their findings with all the companies concerned. Anthropic and Firefox did not respond, while Perplexity and OpenAI opted not to take action, claiming the researchers did not provide a complete demonstration of an end-to-end attack. Meanwhile, Google, Microsoft, and Brave engaged constructively with the findings.
This aligns with the recent BioShocking exploit, which also illustrated how AI browsers can be manipulated through context. Current research indicates that AI browsers may be advancing more quickly than their security can manage.
---
A counterfeit version of Maccy, a popular clipboard manager for macOS, is being utilized to spread a new type of Mac malware identified as PamStealer. According to researchers at Jamf, the malware masquerades as the legitimate open-source application, with the true intent of stealing information and capturing users' login passwords. PamStealer is delivered as a disk image containing an AppleScript file that imitates Maccy. When the user opens this file, macOS executes it in Script Editor, where on-screen prompts instruct them to press Command-R. For those expecting a typical app installation, this may appear as an unusual setup step. In reality, this action triggers hidden malware code and initiates the attack.
---
A new innovation teaching drones to sense pain could prevent self-driving cars from causing harm to themselves.
When you sprain your ankle while running, your body sends pain signals to your brain, prompting you to stop and avoid further injury. This ability to perceive pain helps prevent self-inflicted damage. Researchers from Delft University of Technology and Wageningen University have applied this concept to drones by equipping them with a digital version of a nervous system that identifies malfunctioning components and issues a pain-like alert. This technology may also have applications in self-driving cars.
---
Anthropic’s most advanced publicly available Claude model, Claude Fable 5, is temporarily leaving subscription access after July 7 due to high demand. The company is working to alleviate concerns that this change will be permanent. Fable 5 recently returned to Claude following scrutiny from the U.S. government. Anthropic announced it would be available on Pro, Max, Team, and select Enterprise plans for up to 50% of weekly usage limits until July 7. After this date, the model will transition to a usage-credit billing system, requiring users to pay for access that exceeds their standard plan limits.
Other articles
Another study pops the hype bubble surrounding AI browsers by revealing significant security vulnerabilities.
Researchers evaluated seven prominent AI browsers and discovered that four of them were susceptible to attacks that deceive the AI agent into revealing personal information.
