A USENIX Security Symposium study published in August 2025 revealed that popular AI browser extensions collect sensitive user data, including medical records, banking information, Social Security numbers, and social media activity. Researchers from University College London, Mediterranea University of Reggio Calabria, and University of California, Davis conducted the analysis. The findings highlighted privacy risks in AI-assisted web browsers that have gained traction since their introduction in 2025.
AI-assisted browsers such as OpenAI’s Atlas and Perplexity’s Comet offer features like website summaries, refined searches, chatbots, and autonomous task execution. These tools challenge established browsers including Google Chrome, which holds 70 percent of the global market, Safari, Edge, and Firefox. Other entrants include Opera Neon, Dai, and ChatGPT integrations. McKinsey & Company forecasts the browser industry will generate $750 billion in revenue by 2028.
AI browsers function through persistent chatbots that analyze open webpages and agentic modes that handle tasks such as form filling, Amazon shopping, or essay editing. They process webpage content alongside prior requests, search histories, and interactions without user instructions. Browser extensions serve as interfaces for models like OpenAI’s ChatGPT, Google’s Gemini, and Meta’s Llama. Extensions inject content scripts into webpages via background service workers, enabling autonomous data scraping. This differs from web-based chatbots, which only process user-input data.
The USENIX study focused on browser extensions rather than full browsers, as leaders like Atlas and Comet launched after its completion. Extensions examined included ChatGPT for Google, Sider, Monica, Merlin, MaxAI, Perplexity, HARPA, TinaMind, and Microsoft’s Copilot. Researchers simulated browsing in private and public contexts: reading news, watching YouTube videos, viewing pornography, and completing tax forms. Extensions captured images and text such as medical diagnoses, Social Security numbers, and dating app preferences.
Merlin transmitted banking details and health records. Merlin and Sider AI recorded activity even in private browsing modes. Traffic analysis after decryption showed transmissions to company servers and third-party trackers. Sider and TinaMind shared user prompts and IP addresses with Google Analytics, facilitating cross-site tracking. Microsoft’s Copilot retained chat histories across sessions in browser storage.
Google, Copilot, Monica, ChatGPT, and Sider profiled users by age, gender, income, and interests for personalized responses over multiple sessions. Perplexity emerged as the most privacy-respecting among tested tools. It does not recall prior interactions, and its servers avoid personal data from private spaces. Perplexity still processes page titles and user location.
OpenAI released Atlas after the study. OpenAI states Atlas selectively analyzes content, but it processes all website images and text. Optional memory features store browsing history elements to customize experiences. Users cannot specify which site aspects the browser retrieves. OpenAI’s help page advises removing pages from the chat window, blocking sensitive URLs, or deleting history to limit exposure.
Atlas includes two data-related settings. “Improve the model for everyone” activates by default and permits OpenAI to use webpage data from chatbot queries for ChatGPT training. “Include web browsing” incorporates full browsing history into training. OpenAI anonymizes data before training use, though specifics on boundaries remain limited. Users can disable both settings.
Perplexity’s Comet stores search history locally on user devices, not servers. It accesses URLs, text, images, search queries, download history, and cookies for core functions. Comet’s agentic mode and Memory tool analyze search history and preferences. The browser requests Google account access, covering emails, contacts, settings, and calendars, with opt-in for third-party integrations. Perplexity’s explainer page details data settings. Experts recommend restricting the chatbot sidebar to non-sensitive pages.
AI companies often repurpose stored user data for large language model training without explicit consent. This practice extends beyond AI to social media, retailers, search engines, and messaging services through opaque agreements and default opt-ins. Browsers access more sensitive information than other platforms. OpenAI fulfilled 105 U.S. government data requests in the first half of 2025.
Security vulnerabilities compound privacy issues. Prompt injection attacks allow hackers to embed malicious content in browser backends, indistinguishable from legitimate inputs. These enable phishing and theft of credentials, banking details, and personal data.
A Brave study in October 2025 described prompt injections as a systemic challenge for AI browsers, increasing phishing risks. LayerX Security reported Perplexity Comet users face 85 percent higher vulnerability to such attacks compared to Chrome users. OpenAI Chief Information Officer Dane Stuckey stated on X that prompt injection “remains a frontier, unsolved security problem.” Perplexity’s blog called for AI companies to “rethink security from the ground up.”
The USENIX researchers tested extensions in controlled scenarios to measure data capture. In news browsing, extensions logged article text and images. YouTube sessions resulted in video thumbnail captures and comment scraping. Pornography sites led to image and preference recording. Tax form simulations exposed Social Security numbers and financial details.
Decrypted traffic from Merlin showed plaintext transmission of health records, including diagnoses like diabetes management notes, and banking logins with account numbers. Sider AI’s packets included IP addresses paired with prompts containing personal identifiers. TinaMind routed similar data to Google Analytics endpoints.
Copilot’s local storage retained conversation logs, including queries about financial planning tied to income details from prior sites. Profiling examples included Sider inferring user gender from shopping sites and age from news preferences, applying these to ad-like recommendations.
Perplexity’s limitations prevented cross-session memory, blocking profiling. Its server logs contained only metadata like page titles (“Login – Bank of America”) and geolocation coordinates, without content payloads from private tabs.
Atlas documentation confirms image OCR and text extraction across all tabs. Memory snapshots include URL lists and summarized histories, such as “Visited Amazon cart with electronics.” The training opt-ins process data through anonymization pipelines, hashing IPs and aggregating sessions, per OpenAI disclosures.
Comet’s local storage uses IndexedDB for histories, syncing optionally to Perplexity accounts. Google integration requires OAuth scopes for read/write access to Gmail and Calendar. Third-party tools like Zapier connect via API keys.
Government requests to OpenAI spanned subpoenas for threat investigations and national security warrants, covering 6,000 user accounts. Compliance logs detail data types: chats, files, and IP traces.
Brave’s October analysis simulated 500 injection attempts across browsers. AI models executed 72 percent of malicious prompts, versus 4 percent in traditional browsers. LayerX tested 1,200 users: Comet sessions yielded 2.1 exploits per hour, Chrome 1.1.
Extension injection mechanics rely on Manifest V3 service workers, granting broad tab permissions. Autonomy stems from “content_scripts” matching all URLs, piping DOM trees to LLMs.
Market context shows Chrome’s 70 percent share from StatCounter data as of late 2025. AI browsers captured 12 percent combined, per SimilarWeb. Firefox AI integrations boosted its share to 8 percent.
