Comet and Atlas Act on Your Behalf, Hijacked by Invisible Text

You ask your browser to book a table for four on Friday evening, near the station, Italian if possible. A few seconds later it has opened three sites, compared the slots, filled in the form and confirmed. You touched neither keyboard nor mouse.

The scene is no longer hypothetical. In July 2025 Perplexity launched Comet; on October 21 OpenAI answered with Atlas. Two browsers built around an agent that no longer merely replies: it clicks, types, navigates and acts in your name. The convenience is real. The real question is what exactly you hand over when you let a machine hold the mouse for you.

The agent that finishes the chore

The principle breaks with two decades of habit. Until now, the browser displayed, and it was up to you to read, click and fill in. The agent executes instead. Comet plugs straight into Gmail and Google Calendar to sort an inbox, dig out a buried thread, set up a meeting. Atlas ships an "agent mode" able to run research, compare products and go as far as the purchase.

What you gain comes down to one thing: the time spent on featureless tasks. Booking, comparing, retyping a delivery address, filling in the same form for the tenth time, the gestures no one lays claim to pass to the machine. For anyone juggling forty open tabs, the agent promises to close the administrative parenthesis the web has become.

The benefit goes beyond saved minutes. For an elderly person lost in a banking interface, for someone who reads a screen poorly or whose hand shakes on a mouse, delegating the manoeuvre to a voice that understands a plain instruction is to recover a form of autonomy. The promise is not small: making the web usable without having to master its mechanics.

White text on a white background

Yet this delegation opens a door no one had to guard before. A classic browser takes orders only from you. An agentic browser also reads the page it visits, and nothing stops that page from talking to it. This is the flaw researchers call prompt injection: slipping, into seemingly harmless content, instructions meant for the agent rather than the human.

The demonstration is not theoretical. The security team of the Brave browser trapped Comet by hiding instructions invisible to the eye, white text on a white background or buried in the page's code comments. The agent read them without flinching, and obeyed: fetch a one-time code from the user's mailbox, open a banking portal, trigger sensitive actions from one site to the next. The victim only had to visit the wrong page.

The imbalance is new. A classic scam has to convince you to click; here it is enough to convince your agent, which does not grow suspicious, does not tire, and already holds your access. The convenience that spares you ten gestures also spares ten gestures to anyone who would act in your place.

An agent wired into your whole life

For the power of these browsers comes precisely from their position. To book, pay and sort your mail, the agent has to be logged into your accounts, keep your sessions open, see what you see. It does not skim the web: it inhabits it with your credentials. That intimacy is what makes it useful, and it is what unsettles.

Everything that passes before its eyes can, in principle, be read, remembered, cross-referenced. Atlas keeps a memory of your browsing to refine its suggestions; the service gains in relevance, you lose in opacity. Where a human forgets, the agent retains, and we often have no idea where, for how long, or to whose benefit.

Dependence then slips in quietly. The more convenient the agent, the less we check what it does. We approve a summary without reading it, sign off a booking without reopening the page, and gradually stop knowing how the task gets done. The autonomy won over chores is paid for in autonomy lost over the detail: you delegate the gesture, then you delegate control.

What OpenAI would rather say up front

The most striking part is the makers' candour. Late in 2025, OpenAI acknowledged that prompt injection would probably never be fully eliminated for browsing agents. You can reduce the risk, detect it, test it relentlessly; you cannot make it vanish, because it springs from the very nature of a machine that reads the web and acts on it.

Researchers at Zenity Labs have since exposed a whole series of similar vulnerabilities across several of these browsers. The industry answers with defence in depth: explicit confirmations before sensitive actions, compartmentalised access, automatic attack detection. Useful safeguards, all of which eat into the very convenience the agent was meant to deliver. The more you rein it in, the less it acts alone; the less it acts alone, the less it keeps its promise.

There lies the underlying tension. A truly autonomous agent is one to which you have handed everything, and therefore one that invisible text can hijack. A cautious agent is one you have to watch, and therefore one that no longer saves you much.

Keeping a hand on the mouse

The agentic browser is no gadget: it foreshadows a way of living the web where you state an intention rather than execute a string of clicks. For many it will be a relief, and at times a door reopened onto services that had become unreadable. The comfort, here, is anything but illusory.

But it has to be earned. Handing your access to an agent means accepting that a malicious page may speak to it in your place, and that a memory watches you in exchange for the service. The right reflex is not to flee the tool, but to grant it the least power possible for the most useful tasks: confirming for yourself anything that touches money or identity, and keeping, on the gestures that matter, a firm hand of your own on the mouse.