Hi Opera users,

If you were hanging out around these parts in the past few weeks, you might have noticed that we launched Opera Neon – an AI agentic browser that can browse with you or for you, take action, and help you get things done.

Opera Neon is currently being tested in an Early Access phase, with a limited number of users subscribed to our program. You can find more information about Opera Neon and how you can sign up for a chance to try it out in our News blog. 

Today, we want to address the important topic of agentic browser security. Our Security team has worked closely together with Opera Neon’s development team to ensure that our agentic browser can protect you from the new kinds of threats and attacks that are unique to agentic browsers. Following numerous pen-tests and addressing a number of attack vectors, the result is a safer and stronger product. Most importantly, this work is ongoing and as new issues are discovered, our teams are able to move faster and address them rapidly and effectively.

When using any browser, you want to be confident that it can protect you from common threats and attacks. Opera’s browsers benefit from the robust security efforts of the Chromium open-source project, which they are based on, providing protections such as multi-process design and features including isolated processes and sandboxing. The constant work and improvements made by our own developers plus our ongoing work with external researchers and bug bounty hunters provide additional layers of protection and support.

As Opera Neon is built on top of this groundwork, it also benefits from it, ensuring that any regular threats are addressed and prevented. However, just as agentic browsers open up new possibilities in browsing and completing tasks online, so can they be susceptible to new kinds of attacks that exploit vulnerabilities found in AI agents. 

Common threats to agentic browsers

The area of browser security for agentic browsers is brand new and presents several new types of challenges for a browser. Some of the new threats that have been identified with regard to agentic browsers include: 

• Prompt injection and hijacking: This is when an attacker injects hidden or malicious instructions into web content, which can trick the AI agent into following unauthorized commands, such as leaking data or performing actions on websites unseen by the user.

• Perception and interface manipulation: This involves altering the visual or structural elements of a webpage to mislead the agent, causing it to fall for phishing sites or click on malicious links.

• Data and context leakage: The agent’s memory and continuous handling of context could be exploited to expose sensitive data like credentials, session tokens, or personal information.

How Opera Neon mitigates threats

Many of these attacks are the inevitable result of new technologies changing the way we interact with the web. The agentic internet is one of the most fundamental changes we’ve yet to experience, so it’s only natural that with it come new threats and new risks.

As we aim for Opera Neon to be the gateway into the agentic internet, we have designed it so as to mitigate those threats and effectively reduce the risk to users as much as possible. The work is ongoing, especially since Opera Neon continues to be developed during the Early Access testing phase. These are some of the things we have done so far:

• Tasks: These are self-contained workspaces in Opera Neon that allow you to work on a specific project using multiple sources of reference. You can open multiple tabs, perform multiple requests, and draw from multiple sources within one “mini-browser”, without affecting or accessing other open Tasks or any other information elsewhere in Opera Neon.

• Prompt processing: Prompts are processed differently depending on the model that is chosen for the task at hand. This makes it harder for a specific attack to be replicated reliably.

• Prompt analysis: Opera Neon incorporates safeguards against prompt injection by analyzing prompts for potentially malicious characteristics. However, it is important to acknowledge that due to the non-deterministic nature of AI models, the risk of a successful prompt injection attack cannot be entirely reduced to zero.

• Human-in-the-loop: Opera Neon is designed with a “human-in-the-loop” approach, meaning it will generally pause and request user interaction when actions such as completing a transaction or downloading a file require confirmation.

• Blacklisting: Opera has already implemented blacklisting of high-risk pages (such as banking sites) to prevent AI agents from accessing or acting on them. This reduces the impact of a potentially successful attack.

• Layered Defenses: Inspired by industry best practices, Opera is exploring layered defense mechanisms, including:
  • Further improvements to input sanitization and output filtering for AI prompts.
  • Restricting AI actions to a safe subset of browser capabilities.
  • Considering third-party solutions for enhanced protection.

Heading into the agentic future with security in mind

As with any technology, progress and innovation mean stepping into uncharted waters, where unknown dangers might lurk. That’s why Opera Neon has been developed with security and privacy in mind, ensuring that threats can either be mitigated or prevented successfully as much as possible.

At the same time, we continue working with security researchers on bug reporting and responsible disclosure, moving quickly to address security vulnerabilities when they are discovered, just like we do with our regular browsers.

If you’d like to report a security issue, you can do so through our public and private Bug Bounty programs. Out-of-scope security issues can be submitted directly to us and are subject to our Vulnerability Policy.To report malicious or suspicious activity related to Opera products and services, please use the Report Fraud page.

---