Cybersecurity consultants are warning that OpenAI’s new browser, ChatGPT Atlas, might be weak to malicious assaults that would flip AI assistants in opposition to customers, doubtlessly stealing delicate information and even draining their financial institution accounts.
The AI firm launched Atlas on Tuesday, with the purpose of introducing an AI browser that may ultimately assist customers execute duties throughout the web in addition to seek for solutions. Somebody planning a visit, for instance, may additionally use Atlas to seek for concepts, plan an itinerary, after which ask it to ebook flights and lodging immediately.
ChatGPT Atlas has a number of new options, reminiscent of “browser recollections,” which permit ChatGPT to recollect key particulars from a consumer’s net searching to enhance chat responses and provide smarter strategies, and an experimental “agent mode,” the place ChatGPT can take over searching and interacting with webpages for a consumer.
The browser is a part of a wider push by the corporate to broaden ChatGPT from an app right into a broader computing platform. It additionally places OpenAI extra immediately in competitors with Google and Microsoft, in addition to newer gamers reminiscent of Perplexity, which has launched an AI-powered browser of its personal, known as Comet. (Google has additionally built-in its Gemini AI mannequin into its Chrome browser.)
Nonetheless, cybersecurity consultants warn that every one present AI browsers pose new safety dangers, significantly in relation to what is known as “immediate injection”—a kind of assault the place malicious directions are given to an AI system to make it behave in unintended methods, reminiscent of revealing delicate info or performing dangerous actions.
“There’ll at all times be some residual dangers round immediate injections as a result of that’s simply the character of programs that interpret pure language and execute actions,” George Chalhoub, assistant professor at UCL Interplay Centre, informed Fortune. “Within the safety world, it’s a little bit of a cat-and-mouse sport, so we will count on to see different vulnerabilities emerge.”
The core subject is that AI browsers can fail to tell apart between the directions, or immediate, written by a trusted consumer from the textual content written on untrusted webpages. Because of this a hacker may arrange a webpage containing directions that any mannequin visiting the location ought to, for instance, open up the consumer’s e-mail in a recent tab and export all of the consumer’s messages to the attacker. In some circumstances, attackers would possibly cover these directions—through the use of white textual content on a white background, as an illustration, or utilizing machine code someplace on the location—which can be laborious for a human consumer to identify, however which the AI browser will nonetheless learn.
“The primary danger is that it collapses the boundary between the information and the directions: it may flip an AI agent in a browser from a useful software to a possible assault vector in opposition to the consumer,” Chalhoub added. “So it may possibly go and extract your whole emails and steal your private information from work, or it may possibly log into your Fb account and steal your messages, or extract your whole passwords, so that you’ve given the agent unfiltered entry to your whole accounts.”
In a post on X, Dane Stuckey, OpenAI’s Chief Info Safety Officer, stated the corporate was “very thoughtfully researching and mitigating” the dangers round immediate injections.
“Our long-term purpose is that you need to have the ability to belief ChatGPT agent to make use of your browser, the identical means you’d belief your most competent, reliable, and security-aware colleague or buddy,” he wrote. “For this launch, we’ve carried out intensive red-teaming, carried out novel mannequin coaching methods to reward the mannequin for ignoring malicious directions, carried out overlapping guardrails and security measures, and added new programs to detect and block such assaults. Nonetheless, immediate injection stays a frontier, unsolved safety drawback, and our adversaries will spend vital time and sources to search out methods to make ChatGPT agent fall for these assaults.”
Stuckey stated the corporate had carried out a number of measures to mitigate dangers and shield customers, together with constructing fast response programs to detect and block assault campaigns rapidly, and persevering with to put money into analysis, safety, and security to strengthen mannequin robustness and infrastructure defenses. The corporate additionally has options reminiscent of “logged out mode” which lets ChatGPT act with out account credentials, and “Watch Mode” to assist maintain customers conscious and in management when the agent operates on delicate websites.
When reached for remark, OpenAI referred Fortune to Stuckey’s feedback.
AI browsers create a brand new assault floor
A number of social media customers have shared early examples of efficiently utilizing a lot of these immediate injection assaults in opposition to ChatGPT Atlas. One user demonstrated how Atlas might be exploited by way of clipboard injection. By embedding hidden “copy to clipboard” actions in buttons on a webpage, the consumer confirmed that when the AI agent navigates the location, it may unknowingly overwrite the consumer’s clipboard with malicious hyperlinks. Later, if the consumer pastes usually, they might be redirected to phishing websites and have delicate login info stolen, together with MFA codes.
Moreover, simply hours after ChatGPT Atlas launched, Brave, an open-source browser firm, posted a weblog detailing a number of assaults AI browsers are significantly weak to, together with oblique immediate injections. The corporate previously exposed a vulnerability in Perplexity’s Comet browser that allowed attackers to embed hidden instructions in webpages, which the AI may execute when requested to summarize the web page and doubtlessly expose delicate information reminiscent of consumer emails.
In Comet, Courageous additionally discovered that attackers can cover instructions in photographs which can be executed when a consumer takes a screenshot, whereas in Fellou—one other agentic AI browser—merely navigating to a malicious webpage can set off the AI to comply with dangerous directions.
“These are considerably extra harmful than conventional browser vulnerabilities,” Chalhoub stated. “With an AI system, it’s actively studying content material and making choices for you. So the assault floor is far bigger and actually invisible. Whereas up to now, with a standard browser, you wanted to take various actions to be attacked or contaminated.”
“The safety and privateness dangers concerned right here nonetheless really feel insurmountably excessive to me,” U.Ok.-based programmer Simon Willison said of ChatGPT Atlas in his blog. “I’d wish to see a deep clarification of the steps Atlas takes to keep away from immediate injection assaults. Proper now, it appears like the primary protection is anticipating the consumer to fastidiously watch what agent mode is doing always!”
Customers could underestimate data-sharing dangers
There are additionally questions round privateness and information retention. Notably, ChatGPT Atlas asks customers to decide in to share their password keychains, one thing that might be exploited by malicious assaults aimed on the browser’s agent.
“The problem is that if you would like the AI assistant to be helpful, you want to give it entry to your information and your privileges, and if attackers can trick the AI assistant, it’s as should you had been tricked,” Srini Devadas, MIT Professor and CSAIL Principal Investigator, stated.
Devadas stated that the primary privateness concern with AI browsers is the potential leakage of delicate consumer information, reminiscent of private or monetary info, when personal content material is shared with AI servers. He additionally warned that AI browsers would possibly present incorrect info as a consequence of mannequin hallucinations and that job automation might be exploited for malicious functions, like dangerous scripting.
“The combination layer between searching and AI is a brand new assault floor,” he stated.
Chalhoub added that it might be straightforward for much less technically literate customers to obtain these browsers and assume privateness is constructed into the product.
“Most customers who obtain these browsers don’t perceive what they’re sharing once they use these brokers, and it’s very easy to import your whole passwords and searching historical past from Chrome, and I don’t suppose customers understand it, in order that they’re probably not opting in knowingly,” he stated.
