AI browsers are rewriting the rules. Is your security keeping pace?

1. Pro

AI browsers are rewriting the rules. Is your security keeping pace? Opinion By Adam Febery published 4 December 2025

AI browsers offer convenience, but hidden threats could steal your credentials

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Getty Images)

Open Microsoft Edge today and a small Copilot icon waits in the corner. Click it and the browser can summarize a page, translate a paragraph, or draft an email.

Google is adding similar capabilities to Chrome with Gemini, while the less well-known Arc and Dia are developing models that can read, reason, and act for users. This marks a new chapter for the browser, powered by agentic AI.

Adam FeberySocial Links Navigation

Security Engineering Manager at Kocho.

These tools are turning the browser into an intelligent assistant. Yet while we read the neat paragraph the assistant returns, something else may be happening unseen. Hidden text, an image tag, or an advert could contain instructions the AI follows, quietly sending credentials or downloading malicious files.

You may like

• OpenAI's shiny new Atlas browser might have some serious security shortcomings - and it's not the only one under threat from dangerous spoof attacks
• OpenAI's new Atlas browser may have some extremely concerning security issues, experts warn - here's what we know
• Agentic AI: cybersecurity’s friend or foe?

Convenience before control

As with many advances in user-friendly technology, convenience arrives before control. The browser that makes our daily routines so much easier could just as easily be working against us.

It is worth considering how agentic browsers are becoming mainstream. These are browsers that are augmented with large-language model assistants that can interpret and act on web content. They offer sophisticated summarization and translation, enhanced research and the automation of workflows directly inside the browser.

Microsoft Edge Copilot is already familiar. Its Copilot Vision feature looks at the user’s screen and scans and analyses its content, offering suggestions.

Google has integrated Gemini in Chrome, while ARC has introduced a Browse for Me feature that scours the web, reads multiple pages and “builds the perfect tab”. It’s a feature of ARC Search, which the company says is still in its early stages.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Earlier this year, Brave announced its Brave Search API with ‘AI Grounding’, a feature it says reduces hallucinations.

As these tools move into the mainstream, new features are appearing at speed. Microsoft Edge’s October 2025 beta update – which added tab search and desktop visual – is just one recent example.

Why AI-enabled browsers can leave organizations exposed

Many features in agentic AI-enabled browsers are attractive to senior executives who have visions of greater efficiency, reduced headcount and faster research capabilities.

You may like

• OpenAI's shiny new Atlas browser might have some serious security shortcomings - and it's not the only one under threat from dangerous spoof attacks
• OpenAI's new Atlas browser may have some extremely concerning security issues, experts warn - here's what we know
• Agentic AI: cybersecurity’s friend or foe?

The problem is that there will be a rush to implement agentic AI browsers with security concerns left for later – repeating a familiar pattern from IoT, cloud and past technology cycles where adoption outran security.

This approach leaves organizations exposed. Agentic models give browsers a heavy degree of agency – the ability to make decisions and take actions on behalf of the user.

These browsers have cross-domain reach across email, cloud storage, SaaS apps and local files. With each new capability comes the potential for misuse.

How attackers can use agentic browsers

How is this likely to occur? It can begin when, for example, a user visits a perfectly normal website. The page may include adverts or third-party content. The user activates the browser’s in-built AI assistant to summarize the article or explain what is on the page.

This interaction triggers the large language model sitting behind the browser to read and interpret all available content.

What the user is unaware of is that an attacker has planted invisible text or metadata in the page. This could be white-on-white text, hidden HTML headers, cookies, ad code or code embedded in an image. Invisible to the human eye, it is just more data as far as the AI model is concerned.

This hidden text or code may instruct the model to log into the user’s email, compose an email and send the session token or password to a specific address.

Credential and data theft without a trail

Acting on these instructions, the model will accomplish credential theft, data exfiltration or file execution on behalf of the attacker.

If a user has admin rights, the injected command can go further by for example, downloading a file, renaming it and then executing it. This instantly pulls the endpoint into a botnet or opens it to remote control.

This is a significant threat because it generates no obvious indicators of compromise – no PowerShell, malware binary or exploit chain.

Endpoint detection and response technology (EDR) or antivirus will see everything as legitimate and even the website owner may be unaware that malicious code has been served through their ad network.

Ad platforms are often equally unaware, as there is no obfuscated code and no signature to match. This kind of attack is worrying and far from hypothetical. Brave Software, for example, claims to have found similar prompt injection vulnerabilities in Perplexity AI and Fellou.

Behavioral analytics picks up the clues

Although there may appear to be a major detection-gap with these threats, the good news is there is behavioral fallout that when correlated, reveals compromise.

The signs include users sending messages they have never sent before, the uploading of large or unlabeled files, the appearance of new mailbox rules and the appearance of plaintext passwords in outbound emails.

Behavioral analytics solutions will pick up these indicators within minutes. Proofs-of-concept can be replicated in lab condition. Many security operations centers (SOCs) are still playing catch-up, however.

They need to get on top of these threats quickly because of their potential seriousness. AI-assistants can act maliciously across multiple identities and systems simultaneously and it is difficult for teams to work out who is responsible for an AI-initiated action.

There is the constant danger of employees using unvetted AI plug-ins and personal copilots in their work. Developers may use agentic CLIs in their work too, increasing the risk of importing compromised packages.

Managed SOC support for smaller organizations

Smaller organisations will almost certainly need managed SOC support to counter these threats. Detection and governance need to move from signature-based detection to behavior-based detection.

Teams need the tools to intercept exfiltration, and they must be able to correlate the anomalies. Planning is required to automate containment. Given the human element in this, it is important for organisations to lay down an AI-use policy and to define approved browsers and extensions.

Developers, whether they like it or not, must be under supervision to enforce signed packages and private registries.

We are now in the era of agentic browsers, and they will prove hugely valuable tools, but given these emerging threats, adoption must be disciplined and accompanied by a significant change in security posture.

Control, enhanced monitoring and behavioral insight are necessary to maximize security as well as productivity and creativity.

We've featured the best online cybersecurity course.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS AI Adam FeberySocial Links Navigation

Adam Febery is Security Engineering Manager at Kocho.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more OpenAI's shiny new Atlas browser might have some serious security shortcomings - and it's not the only one under threat from dangerous spoof attacks    OpenAI's new Atlas browser may have some extremely concerning security issues, experts warn - here's what we know    Agentic AI: cybersecurity’s friend or foe?    The rise of agentic AI in cybersecurity    “Everybody's under pressure to do more with less” - Why Okta says you need an AI agent governance strategy, and sooner rather than later    The war on trust: how AI is rewriting the rules of cyber resilience    Latest in Pro Start 2026 strong - you can save up to 50% on Wix’s top apps right now    Apple Final Cut Pro (2025) review    This DDoS group just smashed the previous record with a 29.7 Tbps attack    Proton launches new end-to-end encrypted spreadhseets for ultra secure data handling    Microsoft quietly patches LNK vulnerability that's been weaponized for years    Google wants to help businesses build AI agents with no prior experience    Latest in Opinion AI browsers are rewriting the rules. Is your security keeping pace?    Sorry Apple, but I don’t think iOS 26 is fit for purpose    Passwordless authentication isn’t the problem, the myths around the technology are    ChatGPT users furious as even $200 a month Pro subscribers are hit with app suggestions    How much will the Galaxy Z TriFold cost? I’m a Samsung expert and here’s my prediction    Forget Prime – Amazon starts 30-minute deliveries to show good things come to those with zero patience    LATEST ARTICLES

1. 1NYT Connections hints and answers for Friday, December 5 (game #908)
2. 2Quordle hints and answers for Friday, December 5 (game #1411)
3. 3NYT Strands hints and answers for Friday, December 5 (game #642)
4. 4Microsoft quietly patches LNK vulnerability that's been weaponized for years
5. 5Proton launches new end-to-end encrypted spreadhseets for ultra secure data handling