The pros and cons of AI-powered browsers

A race between tech giants is unfolding before our very eyes. Who’ll be the first to transform the browser into an AI assistant app? As you test these new products, be sure to consider their enormous impact on security and privacy.

Cybersecurity and privacy in LLM-powered AI browsers

Whether superintelligent AI arrives by 2027 is anyone’s guess. However, the forecast for 2026 is already clear: the year will be defined by easily accessible AI agents — large multimodal models capable of building and executing a chain of actions based on user commands. Agentic features are already available on the ChatGPT website and from other providers, but achieving maximum performance requires these agents to execute actions directly on the user’s computer rather than in the cloud. The ideal solution would probably be an AI-powered OS, but creating a new operating system is a challenge. Because of this, all minds are focused on a user-friendly and effective alternative: the AI browser. And by that we mean a regular web-browsing application with a deeply integrated LLM. The AI model can view all open web pages, process information from them, and issue the same commands a user typically would, such as opening, clicking, entering data, saving, and downloading.

The market leaders all see the value of this solution. For instance, Perplexity has released its own Comet Browser and recently made a multi-billion-dollar bid to buy Chrome, while OpenAI has started developing its own browser. Google and Microsoft are in a better position, integrating Gemini and Copilot into their existing Chrome and Edge browsers, respectively. Meanwhile, Mozilla is approaching the same goal from a different angle: gradually integrating AI features deeply into its Firefox browser.

As a result, you’re already seeing ads encouraging you to “upgrade your browser” by either downloading the latest version, or activating “smart features” in your current one. Next year, they’ll be wall to wall. The only thing left to decide will be why you need all this, and whether the benefits are worth the emerging risks.

Why you might need an AI browser

An AI assistant perfectly integrated into your browser can free you from many tedious tasks. With the press of a button, you can get a quick summary of a long article or a two-hour video; or instead of reading a lengthy document, you can ask a question about its content. All of this happens quickly and naturally, without the need to copy and paste links or text into a chatbot tab.

But the real breakthrough will come with agentic features: the ability to perform specific actions rather than just process data. For example, you could open your favorite marketplace and tell the assistant to add everything you need for a three-day backpacking trip in August to your cart.

Unlike similar features already available on AI provider websites, this agentic activity takes place directly on your computer. Online services recognize you since you’re already logged in, and operations occur much faster than they would on a cloud virtual machine — though better results aren’t guaranteed.

Information retrieval features can also provide more relevant results in an AI browser running on your device because bots like ChatGPT, Claude, and Perplexity are blocked from many websites. This prevents LLMs from considering many up-to-date sources in their answers. With these features running from within the browser, the problem will be significantly alleviated as the AI assistant will access websites on your behalf. Additionally, if you’re subscribed to any restricted data sources, such as scientific journals or stock market reports, the AI agent will be able to use them as needed.

Why AI companies need such a browser

Some AI solution providers’ motivations they state themselves, while others require educated guesses based on the business models of Big Tech.

Billions of users. Successful entry into the browser market is a ticket to the largest possible user base. Sure, acquiring Chrome, or at least Firefox, would be ideal, but failing that, tech players can always push their own browser high up the popularity ladder.

“Stickiness”. A service that’s built directly into the browser will see more frequent use because it’s always within easy reach. Besides, it’s harder to switch from a familiar browser: it takes significant effort to migrate bookmarks and extensions to another browser and set it up. This is way more than simply closing one chat tab and opening another.

More information. If there are many users, and they access the service frequently, they feed the AI provider more information, allowing new versions of language models to be trained faster, helping to improve the product. A browser has access to all user web traffic, so training can be done on any website data — not just on conversations with the model.

New training methods. The provider gains a gold mine of behavioral data. Currently, AI agents work by looking at web pages and figuring out what button to press. This is similar to how humans think out loud: it’s a slow and not very efficient process. Training on mouse movements and clicks will allow for a completely new layer in the model, resembling motor memory which, just like in humans, will be faster and more efficient.

Sufficiently bold providers could even utilize user files on the computer for training. Newer versions of Facebook are already doing something similar by sending unpublished photos from the user’s phone gallery to the cloud.

Lower costs. AI providers’ enormous server costs would decrease because some of the work would be done directly on the user’s computer instead of on a virtual machine in the cloud.

Bypassing blocks and paywalls. AI model training is already facing a shortage of new information, with the problem exacerbated by many websites blocking access to AI agents. Cloudflare, which protects one in five websites, including the vast majority of larger ones, has enabled this policy by default. Sending data requests from the user’s computer addresses these challenges: the AI agent’s activity is indistinguishable from the computer owner’s.

A distributed network of browsers makes it possible to access websites for things like model training, without running into restrictions. In principle, this also allows downloading publicly unavailable data, such as articles in subscription-based journals.

Impact on privacy and confidentiality

All of this means that an AI browser creates significant, poorly controlled threats to your privacy. AI companies get access to all of your traffic, your entire web history, the full content of those websites, and all the files on your computer.

As a result, you might unintentionally feed deeply personal or restricted data — like books you purchased, or unpublished scientific papers — into a publicly available AI system. You could also accidentally leak highly confidential information from work websites, such as draft financial reports, in-progress designs, or other trade secrets.

This isn’t some sci-fi scenario: in 2023, ChatGPT mistakenly revealed snippets of users’ chats, and the “share chat” feature — available to ChatGPT users until July 31, 2025 — resulted in tens of thousands of user conversations being indexed by search engines and made available to anyone.

What makes AI-powered browsers a security risk

Incidents involving AI applications are becoming commonplace, and paint a worrying picture.

In a recent experiment, researchers successfully tricked an AI agent within the Comet browser into downloading malware onto its owner’s computer. They did this by sending a fake email to the victim’s account, which the agent could access, stating falsely that it contained blood test results. To download them, the user had to click a link and complete a CAPTCHA. When the AI agent tried to download the results and encountered a CAPTCHA, it was prompted to complete a special task, which the agent “successfully” handled by downloading a malicious file.

In another experiment by the same team, an AI assistant was persuaded to buy products from a scam site. Considering that passwords and payment information are often saved in browsers, deceiving an AI agent could lead to real financial losses.

The researchers noted that AI is highly susceptible to social engineering, and tried-and-true human deception tricks work well on it. While the tests were conducted in the Comet browser, the same thing would happen in any browser with AI agent capabilities.

Another risk is that a browser is a fully featured application with broad access to files on the computer. By obeying a prompt injection on a malicious site, a browser assistant can delete the user’s files, or upload them to fraudulent websites without permission. A recent example involving the hack of the Nx application demonstrated this: the malicious code didn’t search for crypto wallets or passwords on infected developers’ computers itself; instead, it simply instructed previously installed AI assistants to find the files it needed.

A third, still hypothetical, risk is related to the fact that more and more countries are passing laws against accessing illegal information online. The list of what’s forbidden differs from country to country, from child sexual abuse and terrorism to unlicensed books and cryptographic technology. If some players in the AI browser market decide to use their browser as a crawler (search bot) to train new LLMs, or if an AI agent is attacked with a prompt injection, the AI assistant could start searching for such information without the user’s request. How the user would prove that it was the AI looking for the data is an open question.

We also shouldn’t forget about traditional software vulnerabilities. Hundreds of dangerous defects are found in browsers every year because browser security is a complex engineering task. Even with the Chromium team doing the lion’s share of the work, there’s still plenty for wrapper developers to do. Will enough attention be paid to testing and fixing vulnerabilities in AI-powered browsers? It’s not a given.

Finally, sloppy implementation of AI features can lead to excessive memory and CPU consumption, as demonstrated by the recent release of Firefox 141. While this doesn’t directly threaten security, the lags and glitches annoy users and increase the chance of human error.

What makes for an ideal AI browser

To enjoy the benefits of AI without creating unnecessary risks, you should choose a browser that:

  • Allows you to enable and disable AI processing with a single click for individual sites and groups of sites, while isolating AI models and their conversation context between different sites.
  • Guarantees that the AI only downloads and sends information based on specific user requests.
  • Lets you choose the AI model, including a fully local one.
  • Performs self-checks, and isn’t afraid to double-check with the user in questionable situations.
  • Asks for confirmation before entering sensitive data or making purchases.
  • Has built-in, OS-level restrictions on access to files and data.

No such browser with these specific features currently exists on the market. Also, all of these measures won’t suffice to protect you from phishing and scam sites and the risks associated with landing on them. So, in addition to a smart browser, it’ll be even more imperative to have an external system in place to deliver full-fledged protection of your computer and smartphone from cyberthreats.

Read about other AI-related risks:

Tips
  • For all other countries