Unit 42, Palo Alto Networks’ cyber threat intelligence team, has issued warnings about the emerging security risks associated with integrating artificial intelligence into web browsers. After investigating a vulnerability in Google Chrome (which has already been resolved), experts emphasize that while AI enhances browsing capabilities, it’s crucial to maintain constant vigilance for potential security breaches in these tools.
AI-powered Browsers: A New Wave of Productivity
The terms “agnostic browser” or “AI browser” refer to a new class of web browsers that incorporate AI assistants, such as Atlas, Comet, Copilot in Edge, and Gemini in Chrome. At the core of their design is an AI assistant housed in a sidebar capable of providing real-time content summaries, automating tasks, and offering dynamic support to understand the context of the active web page.
By granting AI direct and privileged access to the browsing environment, AI-enabled browsers can perform complex multi-step operations that were previously impossible or required multiple extensions and manual steps. However, this expanded functionality and privileged access also introduce new elements and expand the attack surface, creating security risks not present in traditional browsers.
Risks of Integrating AI into Browsers
This architectural change in browsers introduces a new security challenge with two main aspects. First, the highly privileged and interactive AI assistant introduces new risks by potentially allowing attackers to send commands directly to the browser’s core. A malicious web page could instruct the AI to perform actions that a conventional security model would block, such as exfiltrating data, bypassing Same-Origin Policy (SOP), or activating privileged browser functions through advanced prompt injection techniques.
Second, integrating a complex new component like the AI sidebar inevitably reintroduces classic and fundamental browser security risks. Placing this new component within the high-privilege browser environment could unintentionally create new logical flaws and implementation weaknesses.
Gemini Live in the Chrome Browser Sidebar
As an example of these risks, in 2025, Unit 42 discovered a high-severity security vulnerability in Google’s implementation of the new Gemini feature in Chrome. This vulnerability allowed an attacker to infiltrate the browser environment and access local operating system files.
Specifically, this flaw could have enabled malicious extensions with basic permissions to hijack the new Gemini Live panel in Chrome. Such an attack could lead to privilege escalation, allowing actions like accessing the victim’s camera and microphone without consent, capturing screenshots of any website, or accessing local files and directories.
Palo Alto Networks reported this vulnerability to Google and collaborated on remediation efforts, which resulted in a patch released by Google in early January 2026.
Understanding the Threat Model
Browser extensions operate under a defined set of permissions governed by the browser’s security model. Modern browsers are designed with strong isolation mechanisms, and for good reason. If extensions could undermine the browser host, it would pose a serious security risk.
Extension-based attacks are often considered of limited interest due to the preconditions required for their initial installation. This perception stems from the context of conventional browsers. However, the shift toward browsers integrating AI introduces additional risks that could significantly increase the potential severity of extension-based attacks.
In addition to this risk, the number of malicious extensions deployed on web stores by attackers in recent years has risen. While many of these malicious extensions are quickly removed, a substantial number of victims may have installed them beforehand. Unit 42 has also observed legitimate extensions hijacked or sold to malicious actors, who then release new malicious versions targeting endpoints where the extensions are already installed.