This is the third post in a series about security and privacy challenges in agentic browsers. This vulnerability research was conducted by Artem Chaikin (Senior Mobile Security Engineer), and was written by Artem and Shivan Kaul Sahib (VP, Privacy and Security).
Following up from our blog post last week on additional vulnerabilities in AI browsers, we’re now sharing details on a prompt injection attack we found in Opera Neon. We responsibly disclosed this vulnerability to Opera, but withheld sharing publicly at Opera’s request, to give them time to fix the vulnerability.
Like we’ve said in our blog posts about easily-exploitable attacks in various browsers, indirect prompt injection is a serious and unsolved security problem facing all AI browsers that take actions on the user’s behalf. It’s heartening to now see other browsers acknowledge it as such, and we’re glad to have helped push the envelope on this. As always, we appreciate the thoughtful feedback we’ve gotten on our security research, and the changes browser vendors have made (and will continue to make) to keep all users safe on the Web.
Opera Neon’s AI assistant processes webpage content to answer user queries, but fails to appropriately treat page contents as untrusted when constructing prompts for its LLM. Attackers can embed malicious instructions in hidden HTML elements and other non-rendered markup that remains invisible to users but is fully accessible to the AI assistant.
