{"id":24638,"date":"2025-09-11T19:04:35","date_gmt":"2025-09-11T15:04:35","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24638"},"modified":"2025-09-11T19:04:35","modified_gmt":"2025-09-11T15:04:35","slug":"ai-browser-security-privacy-risks","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ai-browser-security-privacy-risks\/24638\/","title":{"rendered":"The pros and cons of AI-powered browsers"},"content":{"rendered":"

Whether superintelligent AI arrives by 2027 is anyone\u2019s guess. However, the forecast for 2026 is already clear: the year will be defined by easily accessible AI agents\u00a0\u2014 large multimodal models capable of building and executing a chain of actions based on user commands. Agentic features are already available on the ChatGPT website and from other providers, but achieving maximum performance requires these agents to execute actions directly on the user\u2019s computer rather than in the cloud. The ideal solution would probably be an AI-powered OS, but creating a new operating system is a challenge. Because of this, all minds are focused on a user-friendly and effective alternative: the AI browser. And by that we mean a regular web-browsing application with a deeply integrated LLM. The AI model can view all open web pages, process information from them, and issue the same commands a user typically would, such as opening, clicking, entering data, saving, and downloading.<\/p>\n

The market leaders all see the value of this solution. For instance, Perplexity has released its own Comet Browser<\/a> and recently made a multi-billion-dollar bid<\/a> to buy Chrome, while OpenAI has started developing its own browser<\/a>. Google and Microsoft are in a better position, integrating Gemini and Copilot into their existing Chrome and Edge browsers, respectively. Meanwhile, Mozilla is approaching the same goal from a different angle: gradually integrating AI features<\/a> deeply into its Firefox browser.<\/p>\n

As a result, you\u2019re already seeing ads encouraging you to \u201cupgrade your browser\u201d by either downloading the latest version, or activating \u201csmart features\u201d in your current one. Next year, they\u2019ll be wall to wall. The only thing left to decide will be why you need all this, and whether the benefits are worth the emerging risks.<\/p>\n

Why you might need an AI browser<\/h2>\n

An AI assistant perfectly integrated into your browser can free you from many tedious tasks. With the press of a button, you can get a quick summary of a long article or a two-hour video; or instead of reading a lengthy document, you can ask a question about its content. All of this happens quickly and naturally, without the need to copy and paste links or text into a chatbot tab.<\/p>\n

But the real breakthrough will come with agentic features: the ability to perform specific actions rather than just process data. For example, you could open your favorite marketplace and tell the assistant to add everything you need for a three-day backpacking trip in August to your cart.<\/p>\n

Unlike similar features already available on AI provider websites, this agentic activity takes place directly on your computer. Online services recognize you since you\u2019re already logged in, and operations occur much faster than they would on a cloud virtual machine \u2014 though better results aren\u2019t guaranteed.<\/p>\n

Information retrieval features can also provide more relevant results in an AI browser running on your device because bots like ChatGPT, Claude, and Perplexity are blocked from many websites. This prevents LLMs from considering many up-to-date sources in their answers. With these features running from within the browser, the problem will be significantly alleviated as the AI assistant will access websites on your behalf. Additionally, if you\u2019re subscribed to any restricted data sources, such as scientific journals or stock market reports, the AI agent will be able to use them as needed.<\/p>\n

Why AI companies need such a browser<\/h2>\n

Some AI solution providers\u2019 motivations they state themselves, while others require educated guesses based on the business models of Big Tech.<\/p>\n

Billions of users.<\/strong> Successful entry into the browser market is a ticket to the largest possible user base. Sure, acquiring Chrome, or at least Firefox, would be ideal, but failing that, tech players can always push their own browser high up the popularity ladder.<\/p>\n

\u201cStickiness\u201d.<\/strong> A service that\u2019s built directly into the browser will see more frequent use because it\u2019s always within easy reach. Besides, it\u2019s harder to switch from a familiar browser: it takes significant effort to migrate bookmarks and extensions to another browser and set it up. This is way more than simply closing one chat tab and opening another.<\/p>\n

More information.<\/strong> If there are many users, and they access the service frequently, they feed the AI provider more information, allowing new versions of language models to be trained faster, helping to improve the product. A browser has access to all user web traffic, so training can be done on any website data \u2014 not just on conversations with the model.<\/p>\n

New training methods.<\/strong> The provider gains a gold mine of behavioral data. Currently, AI agents work by looking at web pages and figuring out what button to press. This is similar to how humans think out loud: it\u2019s a slow and not very efficient process. Training on mouse movements and clicks will allow for a completely new layer in the model, resembling motor memory which, just like in humans, will be faster and more efficient.<\/p>\n

Sufficiently bold providers could even utilize user files on the computer for training. Newer versions of Facebook are already doing something similar<\/a> by sending unpublished photos from the user\u2019s phone gallery to the cloud.<\/p>\n

Lower costs.<\/strong> AI providers\u2019 enormous server costs would decrease because some of the work would be done directly on the user\u2019s computer instead of on a virtual machine in the cloud.<\/p>\n

Bypassing blocks and paywalls.<\/strong> AI model training is already facing a shortage of new information, with the problem exacerbated by many websites blocking access to AI agents. Cloudflare, which protects one in five websites, including the vast majority of larger ones, has enabled this policy by default<\/a>. Sending data requests from the user\u2019s computer addresses these challenges: the AI agent\u2019s activity is indistinguishable from the computer owner\u2019s.<\/p>\n

A distributed network of browsers makes it possible to access websites for things like model training, without running into restrictions. In principle, this also allows downloading publicly unavailable data, such as articles in subscription-based journals.<\/p>\n

Impact on privacy and confidentiality<\/h2>\n

All of this means that an AI browser creates significant, poorly controlled threats to your privacy. AI companies get access to all of your traffic, your entire web history, the full content of those websites, and all the files on your computer.<\/p>\n

As a result, you might unintentionally feed deeply personal or restricted data \u2014 like books you purchased, or unpublished scientific papers \u2014 into a publicly available AI system. You could also accidentally leak highly confidential information from work websites, such as draft financial reports, in-progress designs, or other trade secrets.<\/p>\n

This isn\u2019t some sci-fi scenario: in 2023, ChatGPT mistakenly revealed snippets of users\u2019 chats<\/a>, and the \u201cshare chat\u201d feature \u2014 available to ChatGPT users until July 31, 2025 \u2014 resulted in tens of thousands of user conversations being indexed by search engines<\/a> and made available to anyone.<\/p>\n

What makes AI-powered browsers a security risk<\/h2>\n

Incidents involving AI applications are becoming commonplace, and paint a worrying picture.<\/p>\n

In a recent experiment<\/a>, researchers successfully tricked an AI agent within the Comet browser into downloading malware onto its owner\u2019s computer. They did this by sending a fake email to the victim\u2019s account, which the agent could access, stating falsely that it contained blood test results. To download them, the user had to click a link and complete a CAPTCHA. When the AI agent tried to download the results and encountered a CAPTCHA, it was prompted to complete a special task, which the agent \u201csuccessfully\u201d handled by downloading a malicious file.<\/p>\n

In another experiment by the same team, an AI assistant was persuaded to buy products from a scam site. Considering that passwords and payment information are often saved in browsers, deceiving an AI agent could lead to real financial losses.<\/p>\n

The researchers noted that AI is highly susceptible to social engineering, and tried-and-true human deception tricks work well on it. While the tests were conducted in the Comet browser, the same thing would happen in any browser with AI agent capabilities.<\/p>\n

Another risk is that a browser is a fully featured application with broad access to files on the computer. By obeying a prompt injection<\/a> on a malicious site, a browser assistant can delete the user\u2019s files, or upload them to fraudulent websites without permission. A recent example involving the hack of the Nx application<\/a> demonstrated this: the malicious code didn\u2019t search for crypto wallets or passwords on infected developers\u2019 computers itself; instead, it simply instructed previously installed AI assistants to find the files it needed.<\/p>\n

A third, still hypothetical, risk is related to the fact that more and more countries are passing laws against accessing illegal information online. The list of what\u2019s forbidden differs from country to country, from child sexual abuse and terrorism to unlicensed books and cryptographic technology. If some players in the AI browser market decide to use their browser as a crawler (search bot) to train new LLMs, or if an AI agent is attacked with a prompt injection, the AI assistant could start searching for such information without the user\u2019s request. How the user would prove that it was the AI looking for the data is an open question.<\/p>\n

We also shouldn\u2019t forget about traditional software vulnerabilities. Hundreds of dangerous defects<\/a> are found in browsers every year because browser security is a complex engineering task. Even with the Chromium team doing the lion\u2019s share of the work, there\u2019s still plenty for wrapper developers to do. Will enough attention be paid to testing and fixing vulnerabilities in AI-powered browsers? It\u2019s not a given.<\/p>\n

Finally, sloppy implementation of AI features can lead to excessive memory and CPU consumption, as demonstrated by the recent release of Firefox 141<\/a>. While this doesn\u2019t directly threaten security, the lags and glitches annoy users and increase the chance of human error.<\/p>\n

What makes for an ideal AI browser<\/h2>\n

To enjoy the benefits of AI without creating unnecessary risks, you should choose a browser that:<\/p>\n