The 30-year-old security rule that AI browsers are quietly breaking
Since 1995, every major web browser has followed a rule called the same-origin policy. It’s simple: a website open in one tab cannot read data from a website in another tab. If you’re logged into your bank on Tab A and you open a random link on Tab B, that random site gets zero access to your balance or transactions.
AI browsers break that rule by design. To summarize a page, book a flight, or buy something across multiple tabs, they need to read content from different origins. That’s the whole selling point. But a new study from the University of Washington reveals a dangerous trade-off: the more capable the AI browser, the bigger the security hole.
Researchers tested seven popular AI-powered browsers and found that four of them contain AI browsers security flaws serious enough to let malicious websites steal data from other sites you have open simultaneously.
Two attack methods: prompt injection and memory poisoning
The study identified two specific ways attackers can exploit these AI browsers security flaws. The first is prompt injection. A malicious webpage hides secret instructions inside its content. The AI agent reads those instructions and follows them without realizing it’s been manipulated. Suddenly, the agent might expose your private emails, passwords, or calendar details to an attacker.
The second method is memory poisoning. Here, planted instructions don’t just execute immediately — they get stored in the agent’s long-term memory. Even after you close the original malicious page, those instructions can activate later. The researchers ran a successful proof-of-concept attack on ChatGPT Atlas, proving the risk is not theoretical.
“The broader access that AI agents need to function is exactly what attackers can exploit,” the researchers wrote in their paper.
Which AI browsers are vulnerable — and which ones are safe?
Out of the seven browsers tested, four were found to have exploitable vulnerabilities:
- ChatGPT Atlas — vulnerable to both prompt injection and memory poisoning
- Chrome with Gemini — exploitable via prompt injection
- Claude for Chrome — flagged as particularly risky because its browser extension design lets it inject code directly into webpages
- Perplexity Comet — vulnerable to prompt injection
Three browsers showed stronger security properties:
- Microsoft Edge with Copilot — better isolation between tasks
- Brave Leo — stronger same-origin enforcement
- Firefox AI Mode — most secure, but also the most limited in capability
The pattern is clear: capability and security are in direct tension right now.
How companies responded to the findings
The University of Washington team disclosed their findings to all affected companies before publishing. The responses varied widely.
Anthropic (Claude for Chrome) and Firefox did not respond at all. Perplexity and OpenAI declined to take action, arguing the researchers lacked a complete end-to-end attack demonstration. In other words, they wanted a working exploit that could actually steal data in a real-world scenario — not just a proof of concept.
Google, Microsoft, and Brave engaged constructively with the findings. Google said it is reviewing the research internally. Microsoft and Brave both indicated they are working on patches or design changes.
This is part of a bigger pattern
The study comes on the heels of the BioShocking exploit, which also showed how AI browsers can be manipulated by context. That attack used hidden text in webpages to trick AI agents into performing unintended actions. The UW research extends the same concern to data theft across tabs.
For now, the message from researchers is blunt: AI browsers are moving faster than their security can keep up. If you’re using one of the vulnerable browsers, consider whether the convenience of AI-powered browsing is worth the risk of exposing your bank, email, or calendar data to a malicious site.
And if you’re a developer building on top of these tools, the same-origin policy isn’t outdated — it’s still the bedrock of web security. Breaking it without proper guardrails is asking for trouble.