ChatGPT Atlas browser launches with major security vulnerabilities

OpenAI has released ChatGPT Atlas, an AI-powered browser that integrates ChatGPT directly into web browsing, allowing the chatbot to access open tabs and perform tasks like online ordering and email editing. However, cybersecurity experts are raising serious concerns about prompt injection attacks, data theft risks, and surveillance issues that could make AI browsers a significant security liability for users.

The big picture: AI browsers represent the next evolution in artificial intelligence applications, but they’re launching with fundamental security vulnerabilities that experts consider unacceptable.

• Recent testing shows prompt injection attack success rates in the “low double digits,” which Brian Grinstead, senior principal engineer at Mozilla, calls “catastrophic” compared to traditional browser security standards.
• “We wouldn’t release a new JavaScript API that let a web page take control of the browser 10% of the time, even if the page asked politely,” Grinstead noted.

How Atlas works: The browser integrates ChatGPT with every search query and can access content from all open tabs to answer questions or complete tasks.

• Early testing by ZDNET showed promise, with Atlas successfully handling tasks like ordering groceries from Walmart on a user’s behalf.
• The browser includes ChatGPT memory, allowing conversations to draw on past chats and details for new tasks.
• OpenAI describes it as letting “ChatGPT come with you anywhere across the web, helping you in the window right where you are, understanding what you’re trying to do, and completing tasks for you.”

Security vulnerabilities: Prompt injection attacks pose the most immediate threat, allowing malicious actors to manipulate AI browsers through seemingly innocent content.

• Brave researchers have discovered prompt injection vulnerabilities in multiple AI browsers, including Comet and Fellou.
• These attacks can be hidden in web page content, Reddit comments, or product reviews, bypassing traditional security measures like the same-origin policy (a web security feature that prevents websites from accessing data from other sites).
• “This lets simple natural-language instructions on websites trigger cross-domain actions that reach banks, healthcare provider sites, corporate systems, email hosts, and cloud storage,” Brave researchers warned.

Data handling concerns: AI browsers require extensive access to personal information to function effectively, raising questions about credential security and privacy.

• Atlas offers an optional “logged-out mode” that prevents ChatGPT from accessing user credentials.
• “Watch mode” requires users to keep sensitive tabs open to monitor the AI agent’s actions, pausing if users navigate away.
• A recent Aikido survey found that four out of five companies experienced cybersecurity incidents tied to AI code.

Surveillance implications: AI browsers collect unprecedented amounts of personal data through conversational interactions and browsing behavior analysis.

• “Users now share the kinds of details they’d never type into a search box, from health worries and finances to relationships and business plans,” explained Eamonn Maguire, director of engineering at Proton, a privacy-focused technology company.
• Maguire called this convergence of search, browsing, and automation an “unprecedented” level of insight into user behavior.

Expert recommendations: Security professionals advise extreme caution when using AI browsers, particularly with sensitive information.

• Mozilla’s Grinstead recommends avoiding private data access and untrusted content when testing AI browsers.
• Alex Lisle, CTO of Reality Defender, a deepfake detection company, called trusting browsing history to an AI browser “a fool’s errand,” noting that “not a week goes by without a new flaw or exploit on these browsers.”
• Developer Simon Willison, co-creator of the Django Web Framework, remains “deeply skeptical” of the sector, noting that in application security, “99% is a failing grade.”

Current landscape: Atlas joins other AI browsers including Perplexity’s Comet, Dia, and Gemini-enabled Google Chrome in the emerging market.

• Atlas is currently available only on Mac, with updates promised to refine the browser’s capabilities.
• The competitive landscape includes established players like Opera with its Neon agentic browser and Microsoft Edge’s AI mode.