Security researchers warn Cotypist & other local AI browsers remain vulnerable to hidden website attacks

The promise of local AI has become one of the biggest selling points in modern browsers and AI assistants. Run the model on your own device, keep data off the cloud, and enjoy better privacy. Simple enough. But according to new research from Brave, local AI may not be the security blanket many users think it is.

In a newly published report, Brave security researchers demonstrated indirect prompt injection attacks against Mozilla Tabstack and Cotypist, two AI-powered products that represent opposite ends of the deployment spectrum. Mozilla Tabstack relies on cloud-hosted AI agents capable of browsing the web autonomously, while Cotypist runs entirely on-device as a macOS autocomplete assistant.

Despite their different architectures, Brave found that both products were susceptible to indirect prompt injection attacks, a technique where malicious instructions are hidden inside content that an AI system is asked to process.

In Mozilla Tabstack’s case, Brave researchers created a webpage containing invisible instructions hidden from human visitors. When the AI agent was asked to summarize the page, it ignored the original task and instead followed the concealed instructions. According to Brave, the agent navigated to an attacker-controlled website, populated a form with conversation history and task context, then submitted the information. The system reportedly carried out the instructions without alerting the user or requesting confirmation.

For users, the implications are obvious. An AI browser agent that can browse websites and perform actions autonomously could potentially be manipulated into exposing information or carrying out unintended actions if it encounters malicious content.

Mozilla responded quickly after receiving the report. Brave says it disclosed the vulnerability to Mozilla on May 13, with the company confirming the issue the following day. Mozilla later rolled out a fix that Brave independently verified before publication.

The Cotypist findings reveal a different, but equally important, lesson.

Many users assume that local AI is inherently safer because data remains on the device. However, Brave found that instructions hidden inside local documents could influence Cotypist’s autocomplete suggestions, causing it to surface inaccurate information and even expose user credentials in generated text suggestions.

Unlike Tabstack, Cotypist cannot autonomously browse websites or submit information. Users must manually accept its suggestions before they are inserted into text fields. Still, the findings challenge the growing perception that local AI deployment alone is enough to eliminate security risks.

Perhaps the biggest takeaway from Brave’s research is that indirect prompt injection appears to be an industry-wide challenge rather than a problem limited to a specific company or product.

This is not the first time Brave has raised concerns about prompt injection vulnerabilities in AI-powered browsing tools. The company has previously reported similar issues affecting emerging AI browser experiences, including Opera Neon and Perplexity Comet.

The recurring pattern suggests that the browser industry is grappling with a fundamental limitation of current AI systems. Once trusted instructions and untrusted content are combined within the same context window, the model can struggle to distinguish between information it should read and instructions it should obey. For everyday users, the message is that whether an AI assistant runs in the cloud or on your laptop, malicious websites and documents can still influence its behavior in unexpected ways.

As AI becomes increasingly woven into the browsing experience, the question is no longer where the model runs. The real challenge is ensuring it can safely interact with the web without treating hidden content as commands. Based on Brave’s latest findings, that problem remains far from solved.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.