AI-Powered Browsers Introduce New Enterprise Security Risks
Security researchers have uncovered vulnerabilities in AI-powered browsers and assistants, exposing enterprises to heightened risks of data breaches and unauthorized access. A key concern is prompt injection attacks, where malicious instructions embedded in web pages, emails, or documents trick AI agents into executing unintended commands bypassing security guardrails.
Last year, Brave Software revealed that Perplexity’s Comet AI assistant failed to distinguish between legitimate user commands and hidden malicious prompts, potentially exposing sensitive data like bank accounts, emails, and cloud storage. While Perplexity later implemented real-time prompt injection classifiers, OpenAI acknowledged in December that such threats remain persistent, comparing them to social engineering attacks with no definitive solution.
Gartner has advised CISOs to block AI browsers with agentic capabilities until enterprise-ready alternatives emerge, citing privacy risks from cloud-stored browsing data and third-party tracking. A 2025 University of California, Davis study found that generative AI browser assistants collect and share personal and sensitive information with both first-party servers and third-party trackers like Google Analytics.
Unlike traditional browser threats, prompt injection attacks are easier to execute using natural language, requiring no advanced technical skills. A 2025 Gartner report found that 32% of organizations have already experienced such attacks on GenAI applications. Palo Alto Networks warns that these attacks can manipulate AI agents into leaking data, escalating privileges, or abusing connected systems often undetected by conventional security tools.
Enterprises face additional risks from shadow AI unauthorized AI browser usage that creates blind spots for IT teams. IBM’s 2025 Cost of Data Breach report attributed 20% of breaches to shadow AI incidents. Compounding the issue, AI agents often operate with excessive permissions, violating the principle of least privilege, while Model Context Protocol (MCP) supply chain attacks introduce new attack vectors through third-party API integrations.
To mitigate risks, security experts recommend:
- Isolating agentic AI capabilities from routine browsing to prevent accidental exposure.
- Enterprise-grade AI browsers with runtime security to monitor prompts and block malicious interactions.
- Step-up MFA and human approval for sensitive actions, ensuring oversight before data transfers or transactions.
- Defensive AI agents to detect anomalous behavior in primary browser agents.
While AI browsers enhance productivity, their broad access and evolving attack surfaces demand stricter governance, visibility, and security controls to prevent exploitation.
Source: https://www.spiceworks.com/ai/ai-powered-browsers-the-new-frontier-of-enterprise-security-risks/
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
Brave cybersecurity rating report: https://www.rankiteo.com/company/brave-software
Perplexity cybersecurity rating report: https://www.rankiteo.com/company/perplexity-ai
"id": "OPEBRAPER1781289020",
"linkid": "openai, brave-software, perplexity-ai",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/AI',
'name': 'Perplexity',
'type': 'AI Assistant Provider'},
{'industry': 'Technology/AI',
'name': 'OpenAI',
'type': 'AI Research/Development'},
{'industry': 'Technology',
'name': 'Brave Software',
'type': 'Browser Developer'},
{'industry': 'Multiple',
'name': 'General Enterprises (Unspecified)',
'type': 'Various'}],
'attack_vector': ['Malicious prompts in web pages/emails/documents',
'Shadow AI',
'Third-party API integrations (MCP supply chain attacks)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Bank account details',
'Emails',
'Cloud storage data',
'Personal and sensitive '
'information']},
'description': 'Security researchers have uncovered vulnerabilities in '
'AI-powered browsers and assistants, exposing enterprises to '
'heightened risks of data breaches and unauthorized access. A '
'key concern is prompt injection attacks, where malicious '
'instructions embedded in web pages, emails, or documents '
'trick AI agents into executing unintended commands bypassing '
'security guardrails. Enterprises face risks from shadow AI, '
'excessive permissions, and supply chain attacks via '
'third-party API integrations.',
'impact': {'brand_reputation_impact': ['Privacy risks',
'Data exposure concerns'],
'data_compromised': ['Bank account details',
'Emails',
'Cloud storage data',
'Personal and sensitive information'],
'identity_theft_risk': True,
'operational_impact': ['Unauthorized data access',
'Privilege escalation',
'Undetected malicious activity'],
'payment_information_risk': True,
'systems_affected': ['AI-powered browsers/assistants',
'Enterprise cloud storage',
'Third-party tracking systems']},
'lessons_learned': 'AI-powered browsers introduce new attack surfaces like '
'prompt injection and shadow AI, requiring stricter '
'governance, visibility, and security controls. '
'Traditional security tools may not detect these threats, '
'necessitating specialized defenses like runtime security '
'and defensive AI agents.',
'motivation': ['Data exfiltration',
'Privilege escalation',
'Financial gain (via dark web sales)'],
'post_incident_analysis': {'corrective_actions': ['Implement runtime security '
'for prompt monitoring',
'Enforce least-privilege '
'access for AI agents',
'Isolate agentic AI '
'capabilities from routine '
'browsing',
'Deploy defensive AI agents '
'for anomaly detection',
'Enhance visibility into '
'shadow AI usage'],
'root_causes': ['Lack of prompt injection '
'detection in AI agents',
'Excessive permissions granted to '
'AI browsers/assistants',
'Third-party tracking and data '
'sharing',
'Shadow AI usage creating security '
'blind spots',
'Supply chain risks via '
'third-party API integrations']},
'recommendations': ['Isolate agentic AI capabilities from routine browsing',
'Adopt enterprise-grade AI browsers with runtime security',
'Implement step-up MFA and human approval for sensitive '
'actions',
'Deploy defensive AI agents to monitor anomalous behavior',
'Enforce least-privilege access for AI agents',
'Monitor third-party API integrations for supply chain '
'risks'],
'references': [{'source': 'Brave Software'},
{'source': 'OpenAI'},
{'source': 'Gartner'},
{'source': 'University of California, Davis Study (2025)'},
{'source': 'IBM’s 2025 Cost of Data Breach Report'},
{'source': 'Palo Alto Networks'}],
'response': {'containment_measures': ['Isolating agentic AI capabilities from '
'routine browsing',
'Runtime security for prompt '
'monitoring'],
'enhanced_monitoring': ['Defensive AI agents to detect anomalous '
'behavior'],
'remediation_measures': ['Enterprise-grade AI browsers with '
'security controls',
'Step-up MFA and human approval for '
'sensitive actions']},
'stakeholder_advisories': 'CISOs advised to block AI browsers with agentic '
'capabilities until enterprise-ready alternatives '
'emerge due to privacy and security risks.',
'title': 'AI-Powered Browsers Introduce New Enterprise Security Risks',
'type': ['Data Breach', 'Unauthorized Access', 'Prompt Injection Attack'],
'vulnerability_exploited': ['Lack of prompt injection detection',
'Excessive permissions in AI agents',
'Third-party tracking and data sharing']}