Orion Browser has found another reason to push back against AI-powered browsers, and this time it’s pointing to new academic research.

The browser maker shared a post on X highlighting a study from the University of Washington that looked at security in so-called agentic browsers. Orion’s takeaway was pretty straightforward. If a browser doesn’t have an AI agent built into it, it doesn’t have to worry about this particular class of attacks.

orion-browser-ai-browsers-post-x

The paper focuses on the same-origin policy, a security rule that’s been around for decades. It’s what stops one website from freely reading data from another. According to the researchers, AI agents complicate that because they’re designed to pull information from multiple tabs and websites while completing tasks for the user.

That becomes a problem if someone manages to trick the AI.

As part of the research, the team showed an attack against OpenAI’s ChatGPT Atlas. A malicious webpage was able to feed hidden instructions to the browser’s AI agent, which then pulled information from another site and sent it to a form controlled by the attacker.

ai-browser-security-risk-diagram

The researchers didn’t stop there. They also found that Chrome with Gemini, Claude for Chrome, and Perplexity Comet all met the conditions needed for similar attacks, although they didn’t demonstrate full exploits against each one.

Orion says this is exactly why it has stayed away from shipping built-in AI features. In its post, the company pointed out that browser agents work with your cookies, your logged-in accounts, and your active sessions. If an attacker manages to manipulate the agent, they aren’t just targeting one website anymore.

This isn’t the first paper to raise concerns about prompt injection either. Brave’s security team recently published its own research showing that even local AI assistants aren’t completely safe. Their proof of concept targeted Cotypist and showed how hidden instructions inside webpages could influence the assistant, despite everything running on the user’s own machine. We’ve covered those details here.

The University of Washington researchers aren’t saying people should stop using AI browsers. Their recommendation is a lot more measured. They argue that browser vendors still have work to do before these agents can safely operate with broad access across the web.

Orion, unsurprisingly, sees things differently. It says the easiest way to avoid these risks is not to build an AI agent into the browser in the first place.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.

Dwayne Cubbins
2771 Posts

I cover fast-moving stories across apps, online platforms, and everyday tech — phones, wearables, consoles, and whatever else people are fighting with this week. Bugs, rollouts, scams, policy enforcement, and the occasional internet-culture rabbit hole are all fair game. My goal is simple — make confusing tech news readable. When I'm not working, I'm working out or chilling with my dog. Got a tip? You can find me on X @dcubbins.