AI browsers arrived with the promise of changing everything. Not only have they not done it: they are a danger
Artificial intelligence browsers did not come promising a smarter tab or a search engine with better answers. They arrived with a much greater ambition: OpenAI talks about getting closer to a “true super assistant”, Perplexity summarizes Comet as “the browser that works for you” and Google presents Gemini in chrome under the idea of a new era of navigation. The promise is clear: that we stop moving around the web alone and start delegating part of the way. The problem is that that same promise is beginning to show a more delicate side. The warning. The University of Washington has now focused on this emerging risk. In an investigation Presented at the Agents in the Wild workshop, and released by the university itself on June 30, a team analyzed seven popular agentic browsers to see how they relate to basic protection of the modern web: the same origin policy. Their conclusion was clear: four of them opened relevant risk avenues and the researchers managed to run a complete proof of concept in ChatGPT Atlas in Agent Mode. The bottom jump. A traditional browser shows us pages and waits for our decisions. We can open a service, copy data, paste it somewhere else, compare options or fill out a form, but each step depends on us. Agentic browsers alter this logic because they incorporate systems capable of interpreting what appears on the screen and moving forward within the browser itself. We are no longer just talking about summarizing a page, but rather coordinating tasks between tabs, operating on open pages and completing actions that were previously left in the hands of the user. A new front. The risk does not arise just because a page is malicious, but because the agent can interpret that page as part of its instructions. That’s where he comes in prompt injectiona technique in which external content tries to alter the behavior of the model with hidden, camouflaged or simply inserted commands where the user does not expect to find them. In a chatbot, that is already a problem. In an agentic browser, the scope changes, because the system can process information from a page and convert it into actions within the browser. The barrier that was there. The same origin policy is one of those protections that we rarely see, but that underpins much of the modern web. Its function, simply put, is to prevent one page from freely reading or manipulating information from another just because both are open in the browser. Thanks to this separation, any website should not be able to simply access what we have in a bank, an email or a private service. The problem arises when an agent groups together information that was previously much more separated. Let’s imagine that we visit a seemingly normal page and ask the agent to summarize it or help us complete a task within it. Under certain conditions, that page may include content from another source, such as an iframe, along with a malicious instruction intended for the model and not for us. If the agent has sufficient permissions, it could access content that the attacking website should not be able to read directly and move some of that information to a form controlled by the attacker. The web would not have directly broken the barrier; he would have used the agent as a bridge. The important nuance. It should be noted that the study does not say that all users will suffer an attack or that any browser with AI is insecure by definition. The researchers analyzed specific versions, at a specific time, and worked with proofs of concept, not with attacks against real services or with sensitive user data. They also observed relevant differences between products: browsers that granted fewer permissions to the agent tended to reduce risk. The paradox. These browsers are attractive because they promise to save steps, understand pages, relate information and execute tasks with less intervention from us. But that same capacity is what makes the failure weigh more: it does not occur only in an isolated tab, but in an environment where there may be open sessions, personal data and pending actions. They may not yet be a massive habit, but the security debate is already here, precisely because their proposal consists of giving them more margin. Images | Xataka with Nano Banana In Xataka | Selecting all the traffic lights is no longer enough to prove that you are not a robot. Now you have to scan QR codes