AI Browsers – The Future or a Cybersecurity Nightmare?

November 26, 2025

Executive Summary

AI browsers from OpenAI, Perplexity, and others promise to automate our daily online activities – from checking bank accounts to managing emails. But should wealth managers adopt them?

This month, I spoke with Luke Jacobson, a cybersecurity researcher with private banking background, based in Geneva, to understand the risks and opportunities. Luke conducted hands-on security testing of Perplexity’s Comet browser to assess its vulnerability to prompt injection attacks – a critical security flaw affecting all current AI systems.

His verdict: while recent improvements have been made, AI browsers in their current state present risks that far outweigh their utility for wealth management professionals. The combination of automated capabilities and unsolved security vulnerabilities creates exposure points for client data, strategic positions, and confidential information that regulated institutions cannot afford.

What are AI browsers and what is so new about them?

AI browsers are fundamentally different from traditional browsers like Chrome, Edge, Firefox, or Safari. While we use conventional browsers to access the internet – checking bank accounts, taxes, emails, news – AI browsers promise to perform these activities autonomously on our behalf.

The major AI companies are heavily promoting this capability. OpenAI, Perplexity, and others position AI browsers as the next evolution of web interaction: instead of you navigating websites and performing tasks, the AI does it for you.

To be honest, I was hesitating to test it on my corporate laptop. It’s the first time I am not immediately trying out a new AI feature due to cybersecurity concerns. So what happens when you install an AI browser? Does it immediately have access to all your files?

I understand your hesitation – it’s actually the right instinct. Let me share a story from my experience that illustrates why this caution matters.

I’ll never forget my first day at a private bank. I naively asked my IT manager “can I download this application to troubleshoot?” His swift reply was “No, absolutely not, you will download nothing, you will install nothing.” As a junior IT support technician I didn’t really understand at the time – I just wanted to help.

What I later understood was the principle of “software whitelisting” – a company policy that should be standard wherever possible in regulated environments.

The reason is fundamental: in any company, every application and every device is a door into the organization. If that door is not properly vetted, it becomes an easy entrance for malicious actors.

If the typical application is a door, then the recently released AI browsers are like a massive open gate. At least, that’s what everyone in cybersecurity has been saying. So I decided to put it to the test.

You tested Perplexity’s Comet browser specifically. What did you find?

My favorite AI tool, Perplexity – a fantastic tool for pulling news and information from multiple sources – has been promoting its browser Comet. According to security research published by Brave, it’s extremely vulnerable to “prompt injection” attacks.

Prompt injection is when an AI is tricked into doing something malicious by a third party that it’s not supposed to. It’s an unsolved security flaw in all of today’s AI tools. So I decided to put it to the test and see how prone Comet is to this kind of attack. Is it really such a security disaster?

Out of the box, Comet is not the T1000 terminator ready to take over your computer. It functions as a standard browser with three key features: Summarize, Voice mode, and Assistant.

I attempted to replicate Brave’s proof-of-concept prompt injection attack. Turns out it’s a lot harder than it looks. I created an extremely simple web page with a simple instruction and asked Comet to summarize it. The summary feature wasn’t easily hijacked by this page. I then incrementally increased the sophistication of my prompt injection attempts but none were successful – the summary tool did exactly what it’s supposed to, provided a summary but performed no actions.

So the good news is that hijacking the summary feature in Comet with prompt injections has been made much harder to exploit compared to the initial proof of concept done in August by Brave.

However – and this is the critical point – this does not mean it is safe to use.

So where does the real vulnerability lie?

In Assistant mode, the browser begins performing actions on your behalf, responding to your requests through a chat interface. For example, the YouTube video in your browser can be analyzed by the assistant, or it can help you navigate and interact with websites.

But once you grant this level of control – once actions are being performed autonomously on your behalf – you become vulnerable from multiple angles.

Security researchers have already demonstrated that your every chat and response can be manipulated and forwarded to a remote attacker’s server through an invisible image.

Let me paint a concrete scenario: Imagine you’re browsing a local, likely extremely insecure, sushi website and you ask Comet to order some Maki rolls on your behalf using their “assistant mode.” All an attacker needs to do is insert an invisible image into the website, and suddenly the attacker can receive every chat and response with your AI assistant – and can even manipulate the responses that you’re receiving.

Now translate this to a wealth management context: your strategic positions, confidential client information, personal information could all potentially be leaked when adopting these types of browsers as your daily use.

What is your recommendation for wealth managers? Should they use AI browsers or not?

My recommendation is unambiguous: while improvements have been made in the last few months in terms of security, wealth managers should not use AI browsers in their current state. The utility they offer does not outweigh the risk involved.

This is not a theoretical concern. The combination of three factors creates unacceptable risk:

  • Unsolved security vulnerabilities: Prompt injection remains an active exploit vector with no comprehensive solution
  • Autonomous operation: AI browsers are designed to act independently, which means compromises can occur without immediate detection
  • Sensitive data exposure: Wealth managers interact with precisely the type of information that attackers “consider a goldmine” – financial data, client identities, strategic positions, transaction details

While implementing AI tools into your company can be used to increase productivity – some of them do so at a massive risk to security. It’s too early and too risky to use these AI browsers.

Thank you very much, Luke, for sharing your expertise with us.

Sources:

  1. Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet – Brave Browser
  2. Perplexity Comet Browser
  3. AI Browser Security Demonstration

About the Author: Dr. Andreas K. Janoschek specializes in AI applications for European Asset & Wealth Management. Based in Geneva, he helps industry professionals to stay ahead of competition by securely advancing with AI. Schedule with us to discuss your specific situation and implementation approach.

About the Expert: Luke Jacobson is a cybersecurity researcher with private banking background, based in Geneva. Connect with Luke on LinkedIn.

This newsletter aims to inform and does not constitute investment or legal advice. Always consult with qualified professionals for specific circumstances.

📧 Originally published in our AI x Wealth Management Newsletter

Subscribe on LinkedIn

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *