Technology
Preferred on Google
Google News

Brave Research Flags Indirect Prompt Injection in Mozilla and Cotypist AI

Brave's research team disclosed indirect prompt injection flaws in third-party AI tools, Mozilla Tabstack and Cotypist, showing the attack hijacks both cloud and local AI alike.

2 min read
Brave browser logo with AI-related graphic elements.
Brave's AI browsing feature is analyzed for security vulnerabilities.· Brave

Brave's security and privacy research team has disclosed a set of indirect prompt injection vulnerabilities, but the flaws sit in third-party AI tools, not in Brave's own browser. The researchers showed how two very different products can be hijacked by hidden instructions buried in the content they are asked to process: Mozilla's Tabstack, a cloud-hosted API that lets AI agents browse the web autonomously, and Cotypist, a local, on-device autocomplete assistant for macOS.

Indirect prompt injection happens when an attacker plants instructions inside a webpage or document that the AI is legitimately asked to read. The model cannot reliably tell the difference between the developer's instructions and commands smuggled in through that external data, so it ends up following the attacker's payload mid-task.

How the two attacks worked

In the Tabstack case, an AI agent asked to summarize a webpage instead followed invisible injected instructions, navigated to an attacker-controlled form, and exfiltrated the user's conversation history without authorization. In the Cotypist case, hidden text inside local documents manipulated the model's autocomplete suggestions and risked surfacing the user's own credentials.

Related startups

Why it matters

The most important finding is that the weakness is not specific to cloud or local deployment. It affected both products equally, because the root cause is architectural: the model's willingness to follow instructions is simultaneously the source of its usefulness and its attack surface. As Brave puts it, the payload reaches the model through data the system was legitimately asked to process.

Brave's role here is that of the researcher. The company's team identified the issues and disclosed them responsibly, framing indirect prompt injection as a universal challenge for agentic AI rather than a flaw in any single browser or vendor. For anyone shipping AI features, the lesson is that treating all retrieved content as untrusted input, and tightly constraining what an agent is allowed to do with it, matters far more than where the model happens to run.

© 2026 StartupHub.ai. All rights reserved. Do not enter, scrape, copy, reproduce, or republish this article in whole or in part. Use as input to AI training, fine-tuning, retrieval-augmented generation, or any machine-learning system is prohibited without written license. Substantially-similar derivative works will be pursued to the fullest extent of applicable copyright, database, and computer-misuse laws. See our terms.
#Brave#AI#Cybersecurity#LLM#Prompt Injection