Cybersecurity experts have uncovered a new and alarming browser exploit that targets users of OpenAI’s Atlas and Perplexity’s Comet—two cutting-edge AI-powered browsers. The attack, known as AI Sidebar Spoofing, allows malicious actors to overlay fake AI sidebars that mimic genuine interfaces, tricking users into following dangerous or malicious instructions.
The vulnerability, discovered by researchers at browser security firm SquareX, affects the latest versions of both browsers. In their findings, SquareX demonstrated three real-world attack scenarios where threat actors could use this spoofing technique to steal cryptocurrency, gain unauthorized access to Gmail or Google Drive, and even hijack entire devices.
How the Attack Works
Both Atlas and Comet integrate large language models (LLMs) directly into their sidebars, allowing users to summarize web pages, run commands, or automate tasks. While these features make browsing more interactive, they also introduce new security risks. SquareX found that a malicious browser extension can inject JavaScript code to overlay a counterfeit sidebar that looks exactly like the legitimate one.
Once injected, the fake sidebar completely replaces the genuine AI interface, intercepting all user interactions. This allows attackers to redirect users to phishing pages, harvest sensitive data, or execute remote commands without the victim’s knowledge. The researchers note that such an extension would only need common permissions like “host” and “storage,” making it easy to disguise as a harmless productivity tool such as Grammarly or a password manager.
In their test, SquareX used Google’s Gemini AI within the Comet browser to simulate attacks, creating malicious instructions that responded to user prompts. The examples included redirecting users to fake crypto exchanges, launching OAuth phishing attacks, and tricking them into installing reverse shells that grant hackers full remote control over a computer.
Impact on AI Browser Users
Although Comet was released in July and Atlas just launched for macOS, both have already drawn attention for their security vulnerabilities. SquareX confirmed that the spoofing attack works seamlessly on both browsers, highlighting a significant trust issue in agentic AI systems that combine web browsing with autonomous LLM functions.
Neither OpenAI nor Perplexity have responded to SquareX’s disclosures or media inquiries, raising concerns about the pace of security updates in this fast-evolving sector. Until proper safeguards are implemented, users are advised to limit AI browser activity to non-sensitive tasks and avoid using them for anything involving financial transactions, email access, or private data management.
Conclusion
As AI-driven browsers gain popularity, they also become prime targets for cybercriminals seeking to exploit the gap between innovation and security. The AI Sidebar Spoofing attack serves as a wake-up call: trusting an AI interface blindly can lead to severe consequences. Developers must prioritize robust verification systems, while users should remain cautious and skeptical of any sidebar-driven instructions, especially those involving personal or financial data.
