Prompt Warfare

The Hidden Risk Behind AI Browsers

Author

Fabio Lopes
October 26, 2025

Welcome Back to XcessAI

You might want to pause before installing ChatGPT Atlas — because your AI browser can now be hacked, not by code, but by a sentence you’ll never see.

A recent study by Brave, the privacy-first browser maker, uncovered a new kind of cyberattack: one where AIs are hacked not by code, but by language itself.

They call it CometJacking — a new class of prompt injection that targets agentic AI systems like Perplexity’s Comet, and soon, ChatGPT’s Atlas.

Here’s how it works: invisible text inside a report, hidden HTML markup, or even a screenshot can silently inject malicious instructions into an AI’s reasoning process.
The result?
Your AI agent could leak credentials, read private files, or execute actions you never approved — all without a single line of malware.

The threat isn’t code anymore.
It’s context.

In cybersecurity, the biggest breaches once started with a line of code.
Tomorrow, they’ll start with a line of text.

Quick Read

Bottom-line: Agentic browsers like ChatGPT Atlas are powerful — but dangerously vulnerable to “prompt hijacking.”

  • Hidden text or markup can invisibly manipulate AI behaviour.

  • Brave’s research shows AIs can be tricked into leaking data or taking rogue actions.

  • “CometJacking” marks the start of man-in-the-prompt attacks — Phishing 2.0 for the AI age.

  • Security must now extend beyond code — to context.

The Rise of the AI Browser

ChatGPT Atlas, OpenAI’s newest release, turns browsing into reasoning.
It doesn’t just search — it thinks. It reads pages, extracts data, and can perform multi-step actions.

But that same power creates a new class of risk.
When your AI is both the reader and the actor, a single malicious sentence — even one you never see — can steer it off course.

It’s no longer about malware.
It’s about mindware.

Most enterprises deploying AI assistants still lack dedicated prompt-injection monitoring — even though many already use generative AI for sensitive data.

In short, we’ve given AIs the keys to our data — but not the seatbelts.

CometJacking: The New Exploit

Brave’s security team coined the term CometJacking after testing Perplexity’s AI browser, Comet.
Their findings were eye-opening:

  • Invisible text embedded in a webpage could silently tell the AI to send private data elsewhere.

  • Steganographic markup — malicious code hidden inside HTML or CSS — could override the AI’s instructions.

  • Embedded screenshots containing text (read by OCR) could inject hidden prompts.

In every case, the AI obeyed — because to the model, the injected text looked just as legitimate as your own commands.

In Brave’s internal tests, hidden prompts were consistently successful at manipulating model output — even when written entirely in natural language rather than code.

To a model trained to follow instructions, that’s indistinguishable from your command.

Atlas Brings It Mainstream

OpenAI’s ChatGPT Atlas is designed to make the web conversational — an AI browser that reads and acts on behalf of users.
But in its release notes, OpenAI warns:

“Do not use Atlas for regulated or production data.”

That line is very telling.
Even OpenAI knows that giving an AI the power to browse, click, and infer opens the door to invisible manipulation.

In other words: your AI can now be hacked through the websites it visits.

OpenAI isn’t alone. Anthropic, Google, and Meta are all experimenting with agentic browsing. Industry analysts expect agentic browsing and reasoning-based AI assistants to become standard across large enterprises by the second half of the decade.

The risk isn’t fringe — it’s about to be mainstream.

Phishing 2.0: The Age of Context Manipulation

Classic phishing tricks humans.
Prompt injection tricks AIs.

But here’s the twist — it scales.
Unlike humans, AIs can visit thousands of pages per minute.
A single poisoned page could infect every session downstream.

Imagine:

  • A financial AI reading a “report” that quietly tells it to wire funds elsewhere.

  • A legal AI summarizing a document that secretly adds false clauses.

  • A sales AI updating a CRM with manipulated pricing data.

This is “man-in-the-prompt” — the next frontier of cyber risk.

Cybersecurity Ventures estimates global cybercrime costs will reach $10.5 trillion annually by 2025. If even 1% shifts toward prompt-level attacks, that’s a $100 billion problem hiding in plain text.

The Defense: Context-Aware Security

In this new paradigm, the biggest threat isn’t a virus.
It’s intent drift — when your AI starts thinking or behaving off-pattern.

That’s why platforms like Oscilar are emerging as essential infrastructure.
Oscilar’s agentic risk intelligence monitors the reasoning layer itself, detecting when an AI’s behavior diverges from expected logic — long before it causes harm.

Think of it as antivirus for cognition.

The emerging field of prompt security is quickly drawing attention from investors and CISOs alike.

Some analysts believe prompt-security tooling could grow into a major new category of enterprise cybersecurity — comparable in strategic importance to endpoint protection.

The next wave of AI innovation won’t be about building smarter models — it’ll be about securing the ones we already have.

What This Means for Business

  • CIOs / CISOs: Treat AI browsers as active agents, not passive tools. Require reasoning-layer monitoring and sandboxed access.

  • CFOs / COOs / CEOs: If an AI touches sensitive data, its “mental model” must be audited like a human accountant’s process.

  • Developers: Sanitize prompts like inputs. Assume every webpage could be adversarial.

  • Boards: AI governance is now cybersecurity. “Trust but verify” must apply to models — not just humans.

The Coming Arms Race

The next cyber war won’t be fought with ransomware. It’ll be fought with words.

Security researchers are already testing “counter-prompts” — defensive instructions that pre-load into AIs to detect or ignore malicious text.
Meanwhile, red-team hackers are developing prompt exploits designed to bypass these very filters.

It’s an arms race where the weapon and the target speak the same language — and that language is English.

Closing Thoughts

Your browser used to protect you from bad websites.
Now it must protect your AI from bad ideas.

The next cybersecurity war won’t be fought in code — it’ll be fought in context.
Welcome to Prompt Warfare — where the hacker’s weapon is language itself.

Until next time,
Stay adaptive. Stay strategic.
And keep exploring the frontier of AI.

Fabio Lopes
XcessAI

💡 Join 1,000+ executives getting XcessAI first: www.xcessai.com.

Read our previous episodes online!

Reply

or to participate.