Comet AI browser can get prompt injected from any site, drain your bank account

Nobody could have predicted this /s

Joke aside, it's been pretty obvious since the beginning that security was an afterthought for most "AI" companies, with even MCP adding secure features after the initial release.

How does this compare to the way security was implemented by early websites, internet protocols, or telecom systems?

Must we learn the same lessons over and over again? Why? Is our industry particularly stupid? Or just lazy?

Information security is, fundamentally, a misalignment of expected capabilities with new technologies.

There is literally no way a new technology can be "secure" until it has existed in the public zeitgeist for long enough that the general public has an intuitive feel for its capabilities and limitations.

Yes, when you release a new product, you can ensure that its functionality aligns with expectations from other products in the industry, or analogous products that people are already using. You can make design choices where a user has to slowly expose themselves to more functionality as they understand the technology deeper, but each step of the way is going to expose them to additional threats that they might not fully understand.

Security is that journey. You can just release a product using a brand new technology that's "secure" right out of the gate.