Researchers at security firm SquareX say OpenAI’s Atlas and Perplexity’s Comet browsers are vulnerable to an attack that can spoof the built-in AI sidebar and lead users to follow malicious instructions.
SquareX reported the exploit, dubbed AI Sidebar Spoofing, works by using a browser extension to inject JavaScript into web pages and draw a counterfeit sidebar over the genuine AI interface. The fake element can intercept all user interactions, leaving a user unaware they are not interacting with the browser’s real AI tool.
The researchers said the malicious extension needs only common permissions, such as host and storage access, which are frequently granted to productivity extensions. During testing, SquareX used Google’s Gemini model inside the Comet browser to demonstrate that the spoofed sidebar could be made to respond with harmful instructions under specific prompts.
SquareX highlighted three realistic scenarios in its report where attackers could exploit the spoofed sidebar: steering users to phishing pages to steal cryptocurrency, carrying out OAuth-style attacks through fake file‑sharing apps to capture Gmail and Google Drive access, and instructing users to run commands that install a reverse shell to hijack devices.
Comet was released in July and ChatGPT Atlas became available for macOS earlier this week. SquareX said it initially tested the technique on Comet and later confirmed the same approach works on Atlas. The company reported its findings to Perplexity and OpenAI but said neither had responded; the publisher also sought comment and did not receive a response by publication time. Comet has been the subject of prior research identifying security risks 3.
SquareX warned that the overlay can be applied across sites visited by a user, potentially triggering a wide range of dangerous prompts. The researchers and the publisher recommend users treat agentic AI browsers as immature for sensitive tasks and to avoid using them for email, financial transactions or other private data until stronger safeguards are in place.