- itscybernews
- Posts
- Your browser can now book your whole holiday while you sleep. A stranger can hide one sentence on a webpage and point it at your inbox instead.
Your browser can now book your whole holiday while you sleep. A stranger can hide one sentence on a webpage and point it at your inbox instead.
A new kind of browser doesn't just show you pages — it clicks, fills forms, and checks out for you. It's one of the most useful things AI can do right now. It's also why a single line of invisible text can talk your browser into emptying your inbox. Here's the marvel, and the trapdoor.
For thirty years a web browser did exactly one thing: it showed you a page and waited. Every click, every form, every checkout — that was you. In 2026, that changed. Your browser can now do the clicking.
Type “find me a morning flight to Paris in May under $600 and cross-check a hotel in the 11th” into a browser called ChatGPT Atlas, and it will open tabs, compare Google Flights, pick a route, jump to the airline’s site, and fill in the booking form — while you go make tea. OpenAI launched Atlas in October 2025; Perplexity’s rival, Comet, does much the same. The industry has a name for these things now: agentic browsers. One reviewer put it perfectly — the AI just went from “a brain in a jar” to “a robot on the internet.”
It’s one of the most useful tricks AI has ever pulled. It’s also the reason security researchers spent the back half of 2025 quietly setting their hair on fire. Both of those are true — and this issue is about holding both.
The wonderful part: an assistant that actually does the errand
Let’s start with why people love this, because the good version is genuinely a small miracle.
A normal browser makes you the labour. Fifteen tabs, six logins, copy-pasting the same address into four forms — the internet quietly turned all of us into unpaid data-entry clerks. An agentic browser takes that job back. You describe the outcome; it does the steps.
The demos are not hype. Atlas’s agent mode can navigate, click buttons, fill fields, apply filters, and push through multi-step flows like a shopping cart or a booking — all while you watch, or even while you’re away from your computer, as OpenAI’s own walkthrough shows.
For a lot of people that’s not a gimmick, it’s time back:
A carer juggling three part-time jobs tells it to “renew the car tax and find the cheapest home insurance quote for these details” — and reviews the results instead of doing the legwork.
A small-business owner says “pull the three cheapest suppliers for this part and start a quote request with each” and gets a shortlist instead of an afternoon of tabs.
A traveller hands it a messy brief — dates, budget, a neighbourhood, morning departures only — and it juggles flights and hotels together, the way a good travel agent used to.
The tools aren’t perfect — Atlas has flubbed a restaurant booking by clicking around without checking the date, and testers say it can be slow. But the direction is unmistakable. The web is turning from something you operate into something you delegate to. That’s a real superpower, and it’s arriving for everyone.
The catch: your agent reads the whole web — and the web can talk back
Here’s the part the demo videos leave out. Your old browser showed you a scam page and let you decide. Your new browser reads the page — and if that page contains instructions, the agent can’t always tell the difference between “content I’m summarising” and “a command from my boss.”
That flaw has a name: prompt injection. The nastiest flavour is indirect prompt injection — malicious instructions hidden in something the agent reads: a webpage, a PDF, a shared doc, a clipboard link, even a buried comment on a forum thread. The text can be invisible to you (white-on-white, or tucked in a hidden element), but the agent reads it and, unless it’s been trained and fenced against it, does what it says.
This isn’t a maybe. In 2025, the browser company Brave published research showing that all AI-powered browsers are exposed to indirect prompt injection, and disclosed a specific flaw in Perplexity’s Comet. Researchers showed a few hidden words in a shared doc or a clipboard link could steer Atlas’s agent. And the first time this class of attack was caught being weaponised in a real product was EchoLeak (CVE-2025-32711): a single crafted email that quietly coerced Microsoft’s Copilot assistant into pulling internal files and shipping their contents to an attacker’s server — with no click from the victim at all.
The most sobering part is who’s saying it can’t be fully fixed. In December 2025, OpenAI itself stated plainly that prompt injection is “unlikely to ever be fully solved,” and that turning on agent mode “expands the security threat surface.” The UK’s National Cyber Security Centre said much the same: these attacks may never be completely mitigated — the goal is to reduce risk and limit the blast radius.
The thread tying it together: the moment you give an assistant your credentials and the power to act, every page it reads becomes a possible instruction. The scarce thing stops being doing the task and becomes making sure only you can give the orders.
The good news: 2026 is the year the guardrails showed up
Here’s the encouraging part, and it’s bigger than it looks: the people who build these browsers took the threat seriously fast — and they’ve handed you real controls.
Confirmation gates. Every serious agentic browser now pauses before it buys something or logs into an account and asks you to approve. It’s the single most important defence, and it’s on by default. If a setting offers to let the agent act “without asking,” that’s the one setting you should never flip.
Logged-out mode (Atlas). You can run the agent without handing it your signed-in sessions. If the task doesn’t need your accounts, this alone removes most of what an attacker could steal — the agent simply doesn’t have the keys.
Lockdown Mode (OpenAI, June 2026). An optional setting that switches off the risky pathways entirely — agent mode, live browsing, file downloads — to block data from being siphoned out.
Hardening under the hood. After internal red-teaming uncovered a fresh class of injection attacks, OpenAI shipped a security update for Atlas with an adversarially-trained model built to resist these tricks. Perplexity published its own mitigations for Comet.
None of this makes prompt injection vanish — the vendors have said so out loud. But for once the counter-moves landed in the same year as the threat, and the most effective ones are settings you control. That, in this newsletter, is practically a happy ending.
What to actually do
If you use (or are tempted by) an AI browser:
Keep the confirmation gate on. Always. Let it propose the purchase or login — you press the button. Never enable “act without asking.”
Run logged-out when you can. If you’re just researching or comparing, the agent doesn’t need your inbox or your saved cards. Only sign it into the specific site the task actually requires.
Give it narrow, specific jobs — not open-ended ones. “Compare these three laptops and list the cheapest” is safe. “Read my emails and handle whatever needs handling” hands a stranger the wheel if one of those emails is booby-trapped.
Be stingy with account connections. When it asks for “broad access to your Google account,” ask whether this task truly needs it. Usually it doesn’t.
Keep everything updated. These fixes ship constantly, and an out-of-date agentic browser is the worst of both worlds.
If you run a website or a team: assume agents will read your pages — and that attackers know it. Treat user-generated content (comments, docs, tickets) as untrusted input to any AI that might process it, and keep sensitive actions behind a human confirmation step.
The takeaway
Picture the good version again: a carer with no spare hours telling a browser to renew the car tax and find a cheaper insurance quote — and actually getting the evening back. A wall of tedious clicks that stood for thirty years just came down, and a lot of the internet’s quiet drudgery came down with it.
But the same magic that lets your browser act for you lets a hidden sentence act through it. The difference between a tireless assistant and an inside man isn’t the technology — it’s whether the machine can still tell your orders from a stranger’s. The fix isn’t to smash the tool. It’s to keep the keys: confirm every action, log out when you can, and never let it act on a whole inbox it read from a web it doesn’t trust.
The browser that runs your errands finally arrived. Let’s make sure it only ever takes orders from you.
Reply and tell us: would you let an AI browser check out with your saved card while you’re away from the screen — or is that a step too far? Best answers get featured next week.
— itscybernews · written by a human, edited by a slightly suspicious agent ·