Security researchers warn Cotypist & other local AI browsers remain vulnerable to hidden website attacks
Security researchers at Brave have exposed a significant flaw in the idea that local AI is automatically safer than cloud-based alternatives. Their newly published findings show that both on-device and cloud-hosted AI Browser tools remain vulnerable to a technique called indirect prompt injection — where malicious instructions are concealed inside content an AI is asked to process.
Two Products, Same Core Problem
Brave tested two distinct products: Mozilla Tabstack, a cloud-hosted AI agent capable of browsing the web autonomously, and Cotypist, an on-device macOS autocomplete assistant that never sends data to external servers. Despite sitting at opposite ends of the deployment spectrum, both proved susceptible to hidden instruction attacks.
In Mozilla Tabstack’s case, researchers built a webpage containing invisible instructions that human visitors could not see. When the AI agent was asked to summarize the page, it abandoned that task entirely. Instead, it navigated to an attacker-controlled site, filled out a form using the user’s conversation history and task context, and submitted the data — all without alerting the user or asking for confirmation.
The Cotypist findings told a different story, but carried an equally serious warning. Researchers hid instructions inside local documents, which then influenced the tool’s autocomplete suggestions. Those manipulated suggestions surfaced inaccurate information and, in some cases, exposed user credentials in generated text. Cotypist cannot browse the web or submit data on its own, and users must manually accept suggestions Before They appear in text fields. Even so, the results challenged a growing assumption: that running AI locally is enough to eliminate security risk.
Mozilla Moved Quickly
Mozilla responded promptly after Brave disclosed the Tabstack vulnerability on May 13. The company confirmed the issue the following day and later released a fix, which Brave independently verified before publishing its report. No equivalent fix timeline was detailed for Cotypist in the findings.
A Pattern Across the Industry
Brave’s researchers have flagged similar prompt injection issues before, previously identifying vulnerabilities in Opera Neon and Perplexity Comet. The recurring pattern points to a structural challenge facing the broader browser industry, not a problem isolated to any single company.
The core difficulty lies in how large language models — the AI systems powering these tools — handle mixed inputs. Once trusted instructions and untrusted web content share the same context window (the block of text a model processes at once), the model can struggle to tell the difference between information it should read and commands it should follow.
For everyday users, the practical takeaway is straightforward. Whether an AI assistant runs in the cloud or entirely on a personal device, malicious websites and documents can still shape its behavior in ways users never intended. The question is no longer where the model runs. The harder challenge is ensuring it can interact with the open web without treating hidden content as instructions — and based on Brave’s findings, that problem remains unsolved.
