The latest hype wave around LLMs has created a new trend in the browser world. Everyone suddenly wants to make an "AI browser," and even the big names like OpenAI and Perplexity are now trying to take on the absolute giant that Google Chrome has become. Competition is always good, especially in a space that has pretty much turned into a monopoly, but I have to be honest. These new AI browsers are not it.
I am all for competition, especially in a space that has basically become a monopoly. But after actually using some of these so-called AI browsers, I am not convinced. I tried the new ChatGPT Atlas browser for about a week before removing it, and that pretty much pushed me into looking deeper into the whole category. The more I looked, the more it felt like we are heading in the wrong direction.
Most AI agents are vulnerable to prompt injection attacks Ironically, Gemini created one for me
A prompt injection attack is when a website slips in its own hidden instructions and the AI follows those instead of what you actually asked it to do. Nothing gets hacked. The AI simply reads everything on the page, including text that is invisible to you, and treats it as part of the conversation.
This becomes a real issue in AI browsers because the agent tries to understand the entire page at once. If a site hides a line of text, the AI can still read it and might think it is a real command. That is how a site can tell the agent to ignore your request or produce something you never intended.
Even OpenAI says the new ChatGPT Atlas browser is still vulnerable to prompt injection. So, while the idea sounds really sophisticated, I was actually shocked at how easy it was to create a similar attack myself.
I will not get into the technical details for obvious security reasons, but I managed to trick Dia, a fairly popular AI browser, into speaking only in pirate language, and say "sea dogs" instead of "dogs" whenever it tried to summarize or answer anything related to a page I created. It was a silly example, but it proved the point. The agent listened to the hidden instruction on the page more than it listened to me.
If something that simple can change how an AI responds, imagine what a store or a sketchy site could do. A shopping site could nudge the AI into recommending the more expensive version of a product, or a malicious site could quietly push the agent toward unsafe links.
While I could not replicate the same results on ChatGPT Atlas, I would also point out what I did wasn't really sophisticated by any means.
You're not the user, you're the product You're building the next model
For years, Google has been the company building a detailed profile of who you are. It started with Google Search, where everything you looked up helped Google understand what ads to show you. Over time, this expanded into other services like Maps and YouTube, which added even more data about your habits, locations, and interests.
But with LLMs, the situation is very different. Most people do not realise how much they are giving up when they talk to an AI. Unlike traditional search, users tend to get far more personal with large language models because the interaction feels like a conversation. I have even seen people try to treat ChatGPT like a therapist.
The problem is that your chats do not simply sit there unused. In many cases, the data you provide is used to train or improve future models. That means your personal stories, preferences, and decisions can end up as part of the dataset that shapes how the AI behaves for millions of other users.
When an AI browser sends every page you visit and every prompt you write to the cloud, the privacy cost becomes much higher. And this is probably the purest form of profiling companies can do, so obviously an "AI" browser is the easiest way to get there.
Most AI "agents" don't really solve problems Would you like some risk with your agent too?
If you are not familiar with how these agents work, they are supposed to handle actions for you automatically based on a prompt. In theory this should save time. In practice, it rarely does. When I tried the new ChatGPT Atlas browser the Agent Mode was almost useless.
It would hallucinate actions, randomly summarize text I never asked for, or completely ignore basic things like scroll bars. On top of that, it was so slow that I could have done the task myself in a third of the time. Instead of helping, it kept getting in the way.
But the bigger problem is actually security. These agents are also prone to the prompt injection attacks I mentioned earlier, and the consequences can be much worse. AI browsers can actually be tricked into falling for scams like phishing emails, which is a catastrophic failure for the lack of a better term.
If agentic operations are one of the main selling points of these browsers and put you at such a massive risk (for now), what is even the point of using them at all?
You can get most of the same features with extensions In the end, it's all Chromium
Take a quick look at the most popular AI browsers today and look at how uncannily similar all of them are. Perplexity Comet, ChatGPT Atlas, and Dia all follow almost the exact same formula. They call an LLM when a question is too broad or too vague for a normal Google search. They add an AI sidebar that reads the page you are on and answers your questions. And they include a set of basic agent features that try to automate things for you. That is pretty much the entire package.
When you break it down, none of this is exclusive to these browsers. You can recreate almost all of it on a normal Chromium browser with a few extensions. These browsers are not doing anything revolutionary to bring AI into your workflow. The actual intelligence comes from the cloud, not from the browser itself, so the browser is mostly acting as a front end for the model.
Perplexity has its own AI Search extension that already replaces Google Search. For the AI sidebar part, you can use something like FillApp, which gives you the glorified "AI sidebar" and a bit of agent behavior if you're feeling daring. Once you add these pieces together, you end up with the same feature set without needing a whole new browser in your life.
AI browsers need to aim higher than LLM wrappers
Companies need to move past the idea that an LLM is enough to make a browser "smart." AI should actually improve the experience, not just sit in a sidebar repeating what is already on the page. That is why Arc felt so different from its successor, Dia.
For now, I still feel like a browser refugee, jumping between options and hoping something finally clicks. Ever since the original Arc disappeared, nothing has come close to replacing it.