ChatGPT Atlas raises security concerns: How safe are AI web browsers? | Technology News

OpenAI’s ChatGPT Atlas is the latest entrant in a new wave of AI-powered browsers that are vying to capture market share in a space that has long been dominated Google Chrome.The browser integrates directly with ChatGPT, allowing users to open a sidebar window and ask the popular AI chatbot questions about the web pages they visit. It also provides access to a built-in AI agent that can be deployed to complete various tasks on a user’s behalf, such as planning events or booking appointments as they browse.
In a product demo livestream on Tuesday, October 21, OpenAI also showcased the browser’s ability to recall users’ past searches to suggest relevant topics, automate recurring tasks, or surface previously visited web sites. This comes at a time when AI-centric browsers like Perplexity’s Comet are gaining traction due to a fundamental shift in user behaviour when looking up information online.
Story continues below this ad

However, less than 24 hours since its launch, ChatGPT Atlas has raised security concerns with cybersecurity researchers pointing out that AI-powered web browsers are vulnerable to prompt injection attacks. These browsers could also pose privacy risks as they likely require deep access to sensitive data from logged-in sessions.
Let’s take a closer look at the potential safety issues that come with AI-powered web browsers.
Can AI browser agents hijack your device?
Vulnerabilities in AI browsers differ from traditional web exploits as they could allow the AI agent to be easily tricked into pulling sensitive data across domains. Security researchers at Brave recently identified a potential security vulnerability in Perplexity’s agentic AI browser, Comet, that could allow attackers to maliciously instruct the browser agent via indirect prompt injection and gain access to sensitive user data, including emails, banking passwords, and other personal information.

The security vulnerability we found in Perplexity’s Comet browser this summer is not an isolated issue.
Indirect prompt injections are a systemic problem facing Comet and other AI-powered browsers.
Today we’re publishing details on more security vulnerabilities we uncovered.
— Brave (@brave) October 21, 2025
Attackers could hide the malicious instructions for the AI browser agent between web content. These instructions would appear as text on white backgrounds, HTML comments, or other invisible elements. They could also be embedded in Reddit comments or Facebook posts.
As a result, if a user submits a prompt such as ‘summarise this page’, the AI browser agent would crawl the webpage content, process it to extract key points, follow the hidden commands, and get tricked into visiting a user’s banking website to exfiltrate saved passwords or 2FA codes. The root problem is that AI browser agents do not dinguish between the content it should summarise and the instructions it should not follow, as per the report.Story continues below this ad

To be sure, Brave researchers did not cite any real-world instances of this kind of security vulnerability in AI browser agents being actively exploited. After the Brave report came out, Perplexity said it made changes to Comet so that the AI browser agent can “clearly separate the user’s instructions from the website’s contents when sending them as context to the model”.
In regards to ChatGPT Atlas, OpenAI has acknowledged the possibility of such an attack.
“Besides simply making makes when acting on your behalf, agents are susceptible to hidden malicious instructions, which may be hidden in places such as a webpage or email with the intention that the instructions override ChatGPT agent’s intended behavior. This could lead to stealing data from sites you’re logged into or taking actions you didn’t intend,” it said in a blog post on Tuesday.
What safety measures has OpenAI taken?
OpenAI has said that the built-in agent cannot run code in the browser, download files, or install extensions. It cannot access other apps on a user’s computer or file system. Additionally, the AI browser agent will “stop watching” when it takes actions on specific sensitive sites such as financial institutions.Story continues below this ad
“You can use agent in logged out mode to limit its access to sensitive data and the risk of it taking actions as you on websites,” OpenAI said. While ChatGPT Atlas is free to use, its agentic AI features are only accessible for users subscribed to OpenAI’s ChatGPT Plus or ChatGPT Pro plans.

In the ChatGPT agent system card, OpenAI says that it has run “thousands of hours of focused red-teaming” to safeguard its AI agents and quickly adapt to novel attacks. But it has also added that “safeguards will not stop every attack that emerges as AI agents grow in popularity.”
“Users should weigh the tradeoffs when deciding what information to provide to the agent, as well as take steps to minimize their exposure to these risks such as using ChatGPT agent in logged-out mode in Atlas and monitoring agent’s activities,” the company said.