Digital Privacy
AI Prompt Injection Risks: Why No AI Browser Is Fully Safe
Prompt injection attacks now hit AI browsers like Comet and Atlas. What the recent breaches mean for small businesses, and how to protect yourself.
24 Oct 2025 · 5 min read · By Sophie Kazandjian
Prompt injection attacks now reach AI browsers like Comet and Atlas. What the late-2025 disclosures mean for small businesses, and how to work with browser AI without inviting in what it cannot see.
Last updated: 3 November 2025.
AI browser agents like Comet (Perplexity) and Atlas (OpenAI) have become household names for digital operations and workflow automation. But in late October 2025, major new vulnerabilities came to light that upended the security picture for all business users. Prompt injection, the exploitation of AI via hidden instructions in inboxes, calendar events, websites, or even screenshots, has gone from niche threat to headline risk.

What is prompt injection, and what's changed
Prompt injection is a new style of attack where adversaries embed hidden commands in everyday digital content like emails, invites, web pages, even search results. When an AI agent with access to that content is asked to summarise, sort, or automate tasks, it may accidentally execute the attacker's hidden instructions. The result? Unwanted emails, leaked files, altered events, or wider digital compromise, often without any user warning.
Key new risks in November 2025
Direct exploits of browser trust: Attackers can now hijack AI browsers like Cometand Atlasusing not just text, but cleverly encoded URLs, screenshots, and fake search results.
Cross-site and session attacks: A new "one-click" technique ("CometJacking") can allow an attacker to control your session across open tabs, enabling broad data exfiltration and unauthorised actions even if you never leave your inbox or calendar.
Cross-device memory poisoning: The "tainted memories" attack:
Atlas users face a particularly serious vulnerability. Security researchers at LayerX discovered that attackers can use CSRF techniques to inject malicious instructions into your ChatGPT account memory without your knowledge.
This isn't browser memory that clears when you restart. It's your ChatGPT account memory, the feature that helps ChatGPT remember context from past conversations. Once poisoned, these tainted memories persist across every device and browser where you use that ChatGPT account: your work laptop, home computer, mobile phone, whether you're using Atlas, Chrome, or Safari.
The next time you ask ChatGPT a normal question, the hidden instructions trigger automatically. The AI may execute remote code, leak data, or take actions that appear legitimate but serve the attacker's goals.
LayerX testing found that Atlas currently lacks meaningful anti-phishing protections, leaving users up to 90% more vulnerable to these attacks than users of Chrome or Edge.
How the main AI agents compare
Security testing in November 2025 by Brave Software, LayerX Security, and NeuralTrust found:
Comet is still somewhat safer than Atlas, but no longer immune: indirect attacks sometimes slip by real-time scanning, and session-wide context scraping makes "one tab hack/many tabs breached" a real risk.
Atlas is currently the least secure, failing to block most modern prompt injections and remaining vulnerable to session persistence, even after the user restarts or logs out.
What you should do differently now
Recognise prompt injection as a live threat, not a theoretical one. Attacks may come not just as weird links, but as ordinary-looking invites, inbox messages, or even image content on websites.
Don’t rely on live scanning or confirmation dialogs alone. Even real-time AI can miss “indirect” or obfuscated instructions. There’s no substitute for regular manual checks, vigilance, and limiting agent permissions.
Keep AI agent permissions tightly scoped: Only allow access to the narrowest necessary inbox, calendar, or drive. Never “allow all.” Regularly review and revoke unused connections.
Limit open tabs (especially to websites containing sensitive info) while agentic browsing is active. Exploits can jump contexts, especially when using connectors to platforms like Gmail, Google Calendar, or SharePoint.
Minimise third-party app integrations: The more you connect, the bigger your “blast radius” if an exploit hits. Disconnect apps and connectors you aren’t actively using.
Choose browsers/vendors with rapid-response transparency: Demand regular, external security audits and clear breach notification channels.
Prefer a two-browser setup for safety: For most small businesses and professionals, the safest approach is to use a privacy-focused browser like Brave for sensitive logins, confidential data, and business communications. Keep agentic AI browsers (such as Comet or Atlas) strictly for non-confidential, controlled workflows, where speed and AI assistance bring real value, but where no client, financial, or business-critical information is put at risk. Brave blocks trackers and runs cooler than Chrome, making it ideal for long work sessions.
Real-world scenario: a malicious calendar invite targets your AI agent
Let’s imagine: Your browser-based AI agent (Comet or Atlas) is connected to your Gmail and calendar. A meeting invite arrives containing a hidden, invisible prompt injection. Here’s what the ideal, but not flawless, defense looks like:
You open the invite: No overt sign anything is amiss.
You ask your AI agent to summarise/respond: The agent scans the content; prompt injection classifiers may block obvious tricks. But “indirect” or evolving exploits might sneak through.
Confirmation step: Most legitimate actions still require a human approval click. But artfully crafted attacks may “hide” their true intent and win user approval.
Post-action review: If something is odd (unexpected mail sent, calendar updated), revoke access immediately and monitor your accounts. Don’t wait for a notification.
The updated takeaway, November 2025
No AI browser is immune to prompt injection and cross-session attacks. Comet now faces the same “zero-trust” necessity as Atlas, especially for business users with sensitive data.
Limit permissions, always.
Keep agentic browsing “in scope” only for trusted tabs and workflows.
Never approve AI-suggested drafts or actions without personally reviewing them.
Stay up to date on vendor patches, and demand transparency from your browser/agent provider.
Summary actions for business users
Audit all connected apps monthly, or after any strange AI behaviour.
Educate your team: Train everyone to spot odd instructions, “silent” authorisations, and AI agent quirks.
Use browser-based AI for in-scope, human-reviewed workflows, but keep high-security data (banking, HR, confidential negotiations) disconnected and manual for now.
Adopt a dual-browser setup: Use a security-focused traditional browser such as Brave for email, banking, and confidential work, and reserve agentic AI browsers for controlled, low-risk tasks.
Prompt injection is now a living, evolving business risk. But by combining strong user vigilance, minimal permissions, and rapid response to vendor patches, you can make AI tools work for your business without inviting new digital threats in the back door.