ChatGPT Atlas Raises Alarm Over New AI Browser Security Risks

OpenAI has introduced ChatGPT Atlas, a browser that integrates ChatGPT directly into the web experience.

Unlike traditional browsers, Atlas allows users to interact with websites using natural language, automate tasks, and complete actions like summarizing job listings or placing online orders. Features such as browser memory and agent mode aim to make Atlas a fully capable assistant that understands user context and executes in real time.

Despite its innovation, Atlas is already drawing sharp criticism from cybersecurity experts.

The most pressing concern is prompt injection, a type of attack where malicious instructions are hidden within web content. These instructions can be misinterpreted by the AI as commands from the user. The result could be the browser agent opening private accounts, stealing data, or executing unintended actions, all without the user’s direct involvement.

Some of these vulnerabilities have already been demonstrated in the wild, raising alarms about the safety of this new browser model.

Why It Matters: AI browsers such as Atlas are changing how people interact with the internet. As AI starts performing tasks for users, the boundary between intent and action becomes less distinct. This change creates new cybersecurity concerns that existing protections may not fully address.

• Prompt Injection Attacks Are a Central Vulnerability: ChatGPT Atlas can be manipulated through hidden prompts embedded in websites. These prompts may appear as normal text, invisible formatting, or coded elements that the AI interprets as valid instructions. Once triggered, the AI could manipulate browsing sessions or exfiltrate sensitive data without any visible warning to the user.

• Agent Mode Expands the Attack Surface: One of Atlas’s key features, agent mode, gives ChatGPT the ability to perform actions like clicking and interacting with websites independently. While powerful, this autonomy creates a security gap. If the AI encounters a malicious prompt during a browsing session, it may unknowingly execute harmful commands. This could potentially expose personal accounts or data.

• Live Demonstrations Show Real Risks: Within hours of the browser’s launch, users showed working examples of prompt injection. In one case, a webpage used clipboard injection to silently overwrite the user’s clipboard with a phishing link. Brave, a rival browser company, published a blog post highlighting additional vulnerabilities in other AI browsers like Comet and Fellou. These included hidden commands in images, buttons, and even triggered actions during screenshots.

• OpenAI Confirms the Threat and Describes Mitigations: Dane Stuckey, OpenAI’s Chief Information Security Officer, acknowledged that prompt injection is a persistent and unresolved problem. He outlined measures the company has taken to reduce risk, including new training models and a rapid response system to block active attack attempts. Despite these efforts, OpenAI concedes that the threat remains.

• Privacy and Data Sharing Are Underestimated by Users: Atlas makes it easy for users to import saved data like browsing history and passwords. While this enhances convenience, it also increases exposure. Browser memory allows the AI to retain contextual information across sessions, which could be misused if prompt injection succeeds. Experts warn that users may not fully realize the extent of what they are sharing or the risks involved in using these features.

• The Problem Is Not Unique to OpenAI: Other AI browsers face similar threats. Brave highlighted vulnerabilities in Perplexity’s Comet browser and in Fellou, where simply visiting a malicious site could trigger harmful AI behavior. The common thread is that all agentic AI systems must interpret content as both data and instruction, making them inherently vulnerable to manipulation.

Go Deeper -> Cybersecurity experts warn OpenAI’s ChatGPT Atlas is vulnerable to attacks that could turn it against a user—revealing sensitive data, downloading malware, or worse – Fortune

Introducing ChatGPT Atlas – OpenAI