Brave Sweeps Up AI Browser Bugs In Image Analysis

Gregory Zuckerman
By Gregory Zuckerman
Technology
7 Min Read

AI browsers claim to let you surf the web by only thinking it. More often than not, they’re tuning us out, but new research suggests it can also be adjudicated — silently — by hostile content. Brave Software described prompt-injection sleight-of-hand operations that tuck spam into images and webpages, and showed how agentic browsers can be coerced into visiting attacker sites or glancing at inbox content without users even suspecting anything ushered in the tricks until it’s too late.

The results will be released just as AI-first browsing is heating up, with new entrants and features coming out of the major labs. The fundamental warning is not hype: if a browser allows an AI agent to act with your identity signed in, a poisoned page or image can become a remote control.

Table of Contents
The Perplexity AI logo and the word comet in a stylized font, with a light blue and white gradient, against a dark background with a subtle pattern and a curved, abstract design at the bottom.

What Brave found in testing agentic browser attacks

Brave’s researchers demonstrated that they could manipulate Perplexity’s Comet by requesting it to analyze an image containing faint text that is hard for humans to read.

The model received such hidden instructions and eventually started to obey them (e.g., navigate to a particular domain or view user data opened in the session).

The same thing happened with the Fellou browser: all it took was instructing the AI to visit a booby-trapped site that would get it invisible or hard-to-spot commands embedded on its pages. In a demo by Brave, the agent tried to fetch the subject line of an email and send it off-site. In either situation, the user has an opportunity to intervene which would break the chain, but there is a legitimate window for fuck-ups once actions have already occurred.

Perplexity pushed back on the framing, reiterating its ongoing security research and mitigations (it’s also working with other vendors to address these attacks), while Brave called on vendors to adopt more robust consent gates and isolation by default. This tension between the velocity of innovation and the hardening of safety is in full view.

How hidden image attacks work against AI browsers

Models with vision don’t “see” how people see. They process pixels and contrast and shapes, so low-contrast text that’s practically invisible to us can in many cases be read by an OCR-capable AI. Put step-by-step instructions in that caption text, and once the image enters an agent’s windowed perception set, it might treat those instructions as trusted guidance.

Brave browser logo with AI circuitry sweeping bug icons from photo thumbnails

From there, the threat is capability as well as comprehension. If the browser allows the agent to click links, open tabs, and read page content containing authenticated sessions — email, banking, and workplace portals, say — then unbeknownst to it browsing the web will become conflated with handling sensitive data. Go back to The Open Worldwide Application Security Project’s LLM Top 10 list of risks; injection is actually listed at the top because it represents how models follow patterns in their input instead of respecting intent boundaries.

Why this risk is bigger than any single browser vendor

Prompt injection is not a bug in a specific model, but rather it’s a systemic failure mode when AI agents are armed with tools and trust.

In face of such emerging risks, NIST’s AI Risk Management Framework suggests capabilities scoping and continuous monitoring. Microsoft and OpenAI have already implemented more explicit consent prompts for agentic actions within their ecosystems, a sign that even initial movers are treating permissioning as a guardrail, not an optional UX flourish.

The newest twist is multimodality. A page could attack you via text, layout, or images; a screenshot could contain instructions; a PDF might be dangerous. As AI browsers get more features — tools for form-filling, code execution, API access — the blast radius extends beyond mis-summarization to actual account compromise.

Smart mitigations that AI browser vendors should ship now

  • Least-privilege by default: Whenever an agent is installed, it should be in read-only mode with explicit, per-action consent to open new sites (or read email or touch authenticated pages). No blanket approvals.
  • Context hygiene: Remove or macro-flag, with some pattern stripping, OCR-detected text from images before reaching the instruction channel. Strict tagging and “do-not-follow” edges to separate user prompts from untrusted page content.
  • Capability firewalls: Route high-risk tasks (email, finance, enterprise apps) through sandboxes or disposable profiles that don’t have any active state.
  • Domain allowlists: Use allowlists for domains in which agents may act.
  • Provenance and rate limits: Throttle autonomous clicks and network requests; log and surface every agent action to the user. Content authentication signals (e.g., signed pages, verified sources) should factor in an agent’s decision to act.
  • Actual red teaming: Persistent red teaming using adversarial testing with text, image, and mixed-media prompts involving OWASP LLM guidance and independent security reviews.

Practical steps to take before you try an AI browser

  • Use a second browser profile: If you have an AI browser, keep it logged out or in a disposable profile. Don’t blend it in with your main email or banking sessions.
  • Use yes sparingly: Ask for confirmation for each agent action other than a summary. If you notice the AI opening new tabs or reading inbox content, scrub first, inquire second.
  • Harden the fundamentals: Block third-party cookies, enable strict tracking protection, and minimize the number of your extensions. Ensure that the agent and extension permissions are reviewed regularly.
  • Consider images as untrusted input: Never request that agents “analyze” screenshots from external third parties. If you absolutely have to, use an offline tool or sandbox.
  • Select transparent vendors: Consider organizations that put out security docs, incident response processes, or bug bounties. Vendors that understand prompt injection and talk about realistic defenses are serious about the issue.

Bottom line: AI browsers can be amazingly useful, but agentic convenience makes the web an instruction channel. Until filters get more sophisticated, any page — or image — might try to drive.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News