The Weaponized Internet Theory

A few days ago, OpenAI released their long-awaited Atlas browser. I’m a huge fan of AI agents, and as someone who spent 6 months working on AI browsers on the product and engineering side, I love seeing new players enter the space. However, there’s a massive security problem with these browsers and the entire agent landscape that most people seem to be ignoring. I’m calling it “The Weaponized Internet Theory.”

The beauty of agentic AI browsers is that they can do things on your behalf. They can buy products on Amazon, send important emails, buy plane tickets for an upcoming trip, and so much more. This is great when you’re the one steering the model, but what happens when you’re not?

AI browsers intake tons of context from the websites that they visit. This includes text displayed on the screen, JavaScript, HTML, and the content shown in advertisements. This opens up a massive security vulnerability via prompt injection attacks.

Any website can contain malicious text that could instruct the browser to log into banking sites or send an email containing personal information. In Perplexity’s Comet browser, an attacker can use something as simple as a Reddit comment to gain access to your Perplexity account. Using an agentic browser means that the entire internet is a security risk, and the attack surface area is nearly infinite. Hidden pixels, HTML or CSS comments, Google Ads, literally everything can be an exploit.

In the modern AI agent landscape, great companies are building fantastic products that are still vulnerable to a few carefully written sentences, and any tool that utilizes outside input (chat messages, websites, code, etc.) is at risk. The launch of Atlas feels like a key inflection point for the future of AI security.

What happens when the entire internet becomes a weapon for prompt injection?

If you want to learn more about how I’m solving this problem, join the waitlist at savira.dev. And if you think I’m crazy, let me know what I’m wrong about.