Atlas: Experts warn of security risks in OpenAI’s AI browser

Cybersecurity experts warn that OpenAI’s new browser, ChatGPT Atlas, could be vulnerable to malicious attacks that would turn AI assistants against users themselves, potentially stealing sensitive data or even emptying their bank accounts.

The AI ​​company launched Atlas on Tuesday with the aim of introducing an AI browser that, in the future, can help users perform tasks on the internet, in addition to searching for answers. Someone planning a trip, for example, could use Atlas to search for ideas, plan an itinerary, and then ask to book flights and accommodation directly.

ChatGPT Atlas brings several new features, such as “browser memories”, which allow ChatGPT to remember important details of the user’s navigation to improve responses and offer smarter suggestions, and an experimental mode called “agent mode”, in which ChatGPT can take control of navigation and interact with web pages on the user’s behalf.

The browser is part of the company’s larger strategy to expand ChatGPT from an application to a broader computing platform. This puts OpenAI in direct competition with Google and Microsoft, as well as new competitors like Perplexity, which has launched its own AI browser called Comet. (Google has also integrated its Gemini AI model into the Chrome browser.)

However, cybersecurity experts warn that all current AI browsers present new security risks, especially when it comes to so-called “prompt injection” — a type of attack in which malicious instructions are given to an AI system to make it behave in unintended ways, such as revealing sensitive information or taking harmful actions.

“There will always be residual risks around prompt injections because that is the nature of systems that interpret natural language and perform actions,” George Chalhoub, assistant professor at the UCL Interaction Center, told Fortune. “In the security world, it’s a cat and mouse game, so we can expect other vulnerabilities to emerge.”

The core problem is that AI browsers may not distinguish between instructions written by a trusted user and text present on untrusted web pages. This means that a hacker could create a page with instructions for any model who visits it, for example, to open the user’s email in a new tab and export all messages to the attacker. In some cases, attackers hide these instructions—using white text on a white background, for example, or machine code somewhere on the website—that are difficult for a human to notice but that the AI ​​browser will read.

“The main risk is that it collapses the boundary between data and instructions: it can turn an AI agent in a browser from a useful tool to an attack vector against the user,” Chalhoub added. “It can extract all your emails and steal your personal work data, access your Facebook account and steal your messages, or extract all your passwords, giving the agent unrestricted access to all your accounts.”

In a post on X, Dane Stuckey, chief information security officer at OpenAI, stated that the company is “carefully researching and mitigating” the risks related to prompt injections.

“Our long-term goal is that you can trust the ChatGPT agent to use your browser in the same way you would trust your most competent, trustworthy, and security-conscious colleague or friend,” he wrote. “For this release, we performed extensive security testing, implemented innovative training techniques to reward the model for ignoring malicious instructions, adopted multiple barriers and security measures, and added new systems to detect and block these attacks. However, prompt injection remains an unexplored security problem, and our adversaries will spend significant time and resources finding ways to make the agent ChatGPT falls for these attacks.”

Stuckey said the company has implemented several measures to mitigate risks and protect users, including rapid response systems to quickly detect and block attack campaigns, as well as continuing to invest in research, safety and security to strengthen the model’s robustness and infrastructure defenses. The company also offers features such as “Disconnected Mode,” which allows ChatGPT to operate without account credentials, and “Watch Mode,” to help users stay aware and in control when the agent operates on sensitive websites.

When reached for comment, OpenAI referred Fortune to Stuckey’s comments.

New attack surface

Several social media users shared early examples of successful prompt injection attacks against ChatGPT Atlas. A user demonstrated how Atlas can be exploited via clipboard injection. By embedding hidden “copy to clipboard” actions into buttons on a page, the user showed that when the AI ​​agent navigates the website, it can inadvertently replace the contents of the user’s clipboard with malicious links. Then, if the user pastes normally, they may be redirected to phishing sites and have sensitive information stolen, including multi-factor authentication codes.

Additionally, just hours after the release of ChatGPT Atlas, open-source browser company Brave published a blog detailing several attacks that AI browsers are particularly vulnerable to, including indirect prompt injections. The company had previously exposed a vulnerability in Perplexity’s Comet browser that allowed attackers to embed hidden commands in pages, which the AI ​​could execute when asked to summarize the page, potentially exposing sensitive data like user emails.

In Comet, Brave also discovered that attackers can hide commands in images that are executed when the user takes a screenshot, while in Fellou — another agent AI browser — simply navigating to a malicious page can cause the AI ​​to follow harmful instructions.

“These are much more dangerous attacks than traditional browser vulnerabilities,” Chalhoub said. “With an AI system, it’s actively reading the content and making decisions for you. So the attack surface is much larger and really invisible. Before, with a normal browser, you had to take multiple actions to get attacked or infected.”

“The security and privacy risk here still seems extremely high to me,” British programmer Simon Willison said about ChatGPT Atlas on his blog. “I’d like to see a detailed explanation of the measures Atlas takes to prevent prompt injection attacks. Now it seems the main defense is to wait for the user to carefully watch what agent mode is doing at all times!”

Data Sharing Risks

There are also questions about privacy and data retention. Notably, ChatGPT Atlas asks users to opt-in to sharing their password vaults, something that could be exploited by malicious attacks targeting the browser agent.

“The challenge is that for the AI ​​assistant to be useful, you need to give it access to your data and privileges, and if attackers manage to trick the assistant, it’s like you’ve been tricked,” said Srini Devadas, an MIT professor and principal investigator at CSAIL.

Devadas said the main privacy concern with AI browsers is the potential leakage of sensitive user data, such as personal or financial information, when private content is shared with AI servers. He also warned that AI browsers could provide incorrect information due to model hallucinations and that task automation could be exploited for malicious purposes such as harmful scripts.

“The integration layer between navigation and AI is a new attack surface,” he said.

Chalhoub added that it can be easy for users with less technical knowledge to download these browsers and assume that privacy is built into the product.

“Most users who download these browsers don’t understand what they’re sharing when they use these agents, and it’s very easy to import all of their passwords and browsing history from Chrome, and I think users don’t realize that, so they’re not really opting in consciously,” he said.

2025 Fortune Media IP Limited