The (dangerous) AI-powered browsers

OpenAI and Microsoft have launched browsers with integrated artificial intelligence (AI) almost simultaneously, promising to automate web browsing tasks, moving from simply searching for information to carrying out transactions. But experts warn of unresolved security vulnerabilities and privacy risks. Would you give an AI chatbot your bank account credentials?

The issue isn't technological but strategic: controlling the web browser means being able to observe billions of internet users and access an advertising business worth hundreds of billions of euros. After a decade of stability dominated by Google Chrome, AI companies are betting on redesigning the web browser as a conversational platform with autonomous agents. The problem is that this leap comes with risks that are still unresolved.

Atlas and a revamped Edge arrive

Last week, OpenAI announced ChatGPT Atlas, a new web browser based on Chromium—the same engine as Google Chrome—but with ChatGPT integrated into its core. Just two days later, Microsoft unveiled new capabilities for Copilot mode in its Edge browser. This synchronization is no coincidence: OpenAI has created a new browser to build an independent platform, while Microsoft is improving an existing product to leverage Edge's user base. Atlas, available in Catalan and initially only for macOS, offers conversational search, a ChatGPT sidebar, and a "browsing memory" system that stores the context of visited sites for 30 days on OpenAI's servers. Agent mode, for paid subscribers ($20 per month), can open tabs, click, and make purchases autonomously.

Microsoft Edge's Copilot mode, available experimentally since July but updated on October 23, offers features like multi-tab access, automatic history organization by topic, and the ability to perform multi-step transactions, such as booking a table at a restaurant, free "for a limited time."

More AI-powered browsers: Comet, Neon, and others

AI-powered browsers existed before these releases. The Norwegian firm Opera pioneered Aria in 2023 and in May of this year launched Neon, which it considers the "first agentive [will-driven] browser." Brave incorporated the Leo assistant in late 2023 and highlights its privacy architecture: conversations are immediately discarded and there's no need to log in. Perplexity launched Comet on July 9 for paying users, and made it free in October. Finally, The Browser Company is working on Dia, which isn't a supermarket chain but an "AI-native" browser.

What do they really offer?

Unlike traditional AI browser extensions, which are usually limited to summarizing or translating content, these browsers offer deep integration: access to all tabs, history, and the ability to perform privileged actions. Conversational search replaces the traditional search box with a chat interface. Persistent contextual memory remembers preferences between sessions, and autonomous agents can navigate, click, and complete workflows on their own.

All of this adds to OpenAI's commitment. to position ChatGPT as a new operating systemThis allows apps like Spotify, Booking.com, and Canva to run within the chatbot beyond simple links: they are interactive experiences enhanced with contextual AI. Furthermore, the Agentic Commerce protocol, co-developed with the digital payments company Stripe, allows users to purchase products directly within the chatbot. All these agents aim to reliably automate tasks, but OpenAI admits that they "can make mistakes in complex workflows."

Why do they want the browser?

With nearly 3.5 billion users, Google Chrome controls 72% of the global web browser market, followed distantly by Apple's Safari (14%). This dominance fuels an advertising business that will reach almost $240 billion this year: Chrome users perform 27% more Google searches than Firefox users. AI companies are eager to acquire this data. OpenAI acknowledges that it created Atlas "to have greater control over the data it can collect." Every click, time spent on the site, and query is used to train AI models. It's also a pathway to the advertising business: both OpenAI and Perplexity are developing their own advertising platforms. The current regulatory context is relevant: Google has been declared a monopoly in web search by a court. The court declined to force it to sell Chrome but required it to share data with its rivals, thus opening the door to competition.

Serious security holes

Beyond the business implications, users should be concerned that AI-powered browsers present unacceptable vulnerabilities, according to cybersecurity specialists. Dane Stuckey, head of security at OpenAI, acknowledged last week that so-called "prompt injection" remains "an unresolved security issue." These cyberattacks allow malicious instructions embedded in web content—for example, in the form of text the same color as the page background, so the user doesn't see it—to be processed by AI as legitimate commands. Brave demonstrated with an attack against the Comet browser that it extracted the user's Gmail email address and one-time password. Perplexity has attempted to fix it twice, so far without success. LayerX Security has already found a security hole in Atlas that allows malicious instructions to be injected into persistent memory, which is maintained across devices, sessions, and browsers. LayerX itself tested 103 data phishing attacks: Chrome blocked 47%, Edge 53%, but Atlas only 5.8% and Comet 7%. Simply put, AI browsers are 90% more vulnerable to credential theft than traditional browsers.

It should be noted that AI extensions for conventional web browsers are not immune to this danger either. According to the University of California, Davis, some capture the complete HTML code of pages, including medical records and identity documents. The Merlin and Sider extensions for Chrome transmit the content of health portals, banking websites, and other private spaces, violating all personal data protection regulations.

We are sorely lacking in caution.

However, user curiosity is trumping prudence: according to Cyberhaven Labs, 28% of US companies—where Macs are more prevalent than in our own—already had at least one employee using Atlas this week, just seven days after its launch. Until fundamental security issues are resolved, it's not advisable to replace our usual browser with this new generation powered by AI, especially when visiting banking, health, or sensitive personal information websites. If you do switch, it's essential to use unique passwords and enable two-factor authentication. Generally, it's preferable to stick with Brave, Firefox, Safari, or even Chrome, perhaps adding AI extensions in a controlled manner. The technology is interesting, and the capabilities are remarkable. But security should outweigh the promise of convenience. The problem is that prudence is a rare quality among technology consumers, especially when the world's richest companies are betting fortunes on convincing us that this time will be different.