I was waiting to see if the Brave team released anything about the critical flaws that AI browsers are currently suffering from but before they released anything I stumbled upon this.
We’ve identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust “user intent” text, enabling harmful actions.
It will be interesting to see how these AI browsers work to overcome this critical flaw as agentic browsers all suffer from the same lack of strict boundaries between trusted and untrusted input. This issue is hard to fix since it is also what makes the browsers so appealing to people.