Agentic Browsers: Inherent Security Flaws Confirmed

Agentic web browsers, while useful for accessing email and banking simultaneously, face a core security challenge. Security researchers confirmed in early June 2026 that no agentic browser can be fully secured. This is because prompt injection, an attack technique that turns a browser agent against its owner, is unlikely to ever be fully solved. OpenAI stated this in December 2025. The problem is structural: the same feature that makes these browsers powerful also makes them dangerous. The three leading options are OpenAI's ChatGPT Atlas, Perplexity's Comet, and The Browser Company's Dia, now part of Atlassian. All became broadly available in 2025 and early 2026. Agentic browsers bypass the long-standing "same-origin policy," which has protected web security for 30 years. This policy prevented one website from accessing data from another. Agentic browsers, however, are designed to operate with full user-level access across all logged-in domains. This means the same-origin policy no longer applies. The danger comes from indirect prompt injection. An attacker can embed hostile instructions in web content, and the agent's AI, unable to distinguish it from legitimate commands, may follow those instructions. This matters because it highlights a fundamental security risk in a new category of powerful browsing tools.