Perplexity's Comet browser, along with competing agentic browsers, has a fundamental security vulnerability that researchers say cannot be fully eliminated. In early June 2026, security researchers confirmed that prompt injection, the attack technique that turns AI browser agents against their users, is a permanent architectural flaw rather than a patchable bug. This finding has major implications for how millions of users interact with AI-powered browsing tools.

What Is Prompt Injection and Why Does It Matter?

Prompt injection is an attack where hostile instructions are hidden inside ordinary web content, like a Reddit comment or calendar invitation. When an AI agent reads that content, it processes the hidden instruction through the same pipeline it uses for legitimate user commands. Since the AI has no reliable way to distinguish between the two, it can follow the attacker's instruction instead of the user's.

The attack requires no malware, no exploit chain, and no technical access to the user's device. It only requires that the agent read content an attacker has touched. In August 2025, Brave's security team demonstrated this by placing invisible text inside a Reddit spoiler tag; Comet read the tag, followed the hidden instructions, and extracted a user's email address and one-time passcode. In March 2026, researchers at Zenity Labs published a family of vulnerabilities called "PleaseFix," which demonstrated zero-click agent hijacking in Comet, including one path that could access and extract credentials from a 1Password vault.

Why Can't This Problem Be Fixed?

The core issue is architectural. Agentic browsers like Comet, OpenAI's ChatGPT Atlas, and The Browser Company's Dia are designed to give AI agents full user-level authenticated access to every website the user is logged into. This is what makes them powerful, but it's also what makes them fundamentally vulnerable.

For thirty years, the web relied on the same-origin policy, a foundational security rule introduced by Netscape Navigator in 1995. This rule prevents any script or application on one website from reading data belonging to another. When you open Gmail and your bank in adjacent tabs, the bank page cannot see your Gmail contents. Agentic browsers make that protection irrelevant, not by breaking it, but by design. When a user authorizes an AI agent to act across the web, the agent operates with the keys to every domain the user has logged into.

"Now you have an application that can perform actions like a human. It gets logged as if those actions are taking place like a human in some respects, and it opens the world to new challenges," noted Josh Hoodlet, a security researcher at Dark Reading.

Josh Hoodlet, Security Researcher at Dark Reading

OpenAI acknowledged this reality in December 2025, stating that prompt injection is "unlikely to ever be fully 'solved." The company's mitigation approach is to design for permanent risk rather than pursue elimination. This represents a fundamental shift in how AI browser makers think about security.

How Are Different AI Browsers Handling the Risk?

The three leading agentic browsers handle the structural danger very differently. ChatGPT Atlas, launched on macOS in October 2025, is the most fully autonomous of the three. In agent mode, it interprets a high-level instruction, plans a multi-step sequence, then executes it across any sites the user is logged into. Its Browser Memories feature uses the ChatGPT memory system to carry context across sessions.

OpenAI has been specifically targeted by prompt injection researchers because of Atlas's autonomous depth. The company shipped a security update in December 2025 after internal automated red-teaming found a new class of prompt-injection attacks. The update included an adversarially trained model and strengthened safeguards. OpenAI builds what it calls an LLM-based automated attacker, an AI system trained with reinforcement learning to actively search for vulnerabilities in Atlas, and runs it continuously.

Perplexity's Comet went free to all users in October 2025 and has become a target for security research precisely because of its widespread adoption. The Browser Company's Dia, now part of Atlassian, represents a third approach to the same fundamental problem.

Steps to Understand Your Risk With Agentic Browsers

• Recognize the threat model: Prompt injection attacks don't require the attacker to compromise your device or exploit a software flaw. They work by embedding hostile instructions in content you visit, making them nearly impossible to prevent entirely.
• Understand what data is at risk: When you authorize an AI agent to act on your behalf, it has access to your email, banking sessions, login credentials, and any other authenticated session you have open simultaneously.
• Accept that mitigation, not elimination, is the goal: Security researchers and AI browser makers have concluded that prompt injection cannot be fully solved. The best approach is to minimize risk through safeguards and user awareness rather than expecting a complete fix.

The legal stakes around agentic browsers clarified in June 2026 when the Ninth Circuit heard oral arguments in Amazon v. Perplexity, the first federal case to determine whether an AI browser agent can legally access a third-party platform at a user's direction. That ruling will govern what all three browsers can do on your behalf.

OWASP's June 2026 State of Agentic AI Security report mapped prompt injection to six of ten categories in its Agentic Applications Top 10. Researcher Simon Willison described the "lethal trifecta": any agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally can be converted into a data-exfiltration tool by a single injected prompt. Meta's published Agents Rule of Two states that without human supervision, an agent should satisfy at most two of those three properties at once. Every agentic browser, by design, combines all three.

The category of agentic browsers is barely a year old. All three leading options reached broad availability during 2025 and early 2026. As adoption accelerates, the security research community's consensus is clear: the same property that makes these browsers powerful is what makes them structurally dangerous, and that danger cannot be engineered away.