Cybersecurity specialists are warning that OpenAI’s new browser, ChatGPT Atlas, could possibly be susceptible to malicious assaults that would flip AI assistants towards customers, doubtlessly stealing delicate knowledge and even draining their financial institution accounts.
The AI firm launched Atlas on Tuesday, with the purpose of introducing an AI browser that may finally assist customers execute duties throughout the web in addition to seek for solutions. Somebody planning a visit, for instance, might additionally use Atlas to seek for concepts, plan an itinerary, after which ask it to e book flights and lodging immediately.
ChatGPT Atlas has a number of new options, reminiscent of “browser memories,” which permit ChatGPT to recollect key particulars from a consumer’s internet shopping to enhance chat responses and provide smarter options, and an experimental “agent mode,” the place ChatGPT can take over shopping and interacting with webpages for a consumer.
The browser is a part of a wider push by the corporate to broaden ChatGPT from an app right into a broader computing platform. It additionally places OpenAI extra immediately in competitors with Google and Microsoft, in addition to newer gamers reminiscent of Perplexity, which has launched an AI-powered browser of its personal, known as Comet. (Google has additionally built-in its Gemini AI mannequin into its Chrome browser.)
Nonetheless, cybersecurity specialists warn that every one present AI browsers pose new safety dangers, significantly on the subject of what is known as “prompt injection”—a sort of assault the place malicious directions are given to an AI system to make it behave in unintended methods, reminiscent of revealing delicate info or performing dangerous actions.
“There will always be some residual risks around prompt injections because that’s just the nature of systems that interpret natural language and execute actions,” George Chalhoub, assistant professor at UCL Interplay Centre, advised Fortune. “In the security world, it’s a bit of a cat-and-mouse game, so we can expect to see other vulnerabilities emerge.”
In a publish on X, Dane Stuckey, OpenAI’s Chief Info Safety Officer, stated the corporate was “very thoughtfully researching and mitigating” the dangers round immediate injections.
“Our long-term goal is that you should be able to trust ChatGPT agent to use your browser, the same way you’d trust your most competent, trustworthy, and security-aware colleague or friend,” he wrote. “For this launch, we’ve performed extensive red-teaming, implemented novel model training techniques to reward the model for ignoring malicious instructions, implemented overlapping guardrails and safety measures, and added new systems to detect and block such attacks. However, prompt injection remains a frontier, unsolved security problem, and our adversaries will spend significant time and resources to find ways to make ChatGPT agent fall for these attacks.”
Stuckey stated the corporate had carried out a number of measures to mitigate dangers and shield customers, together with constructing speedy response techniques to detect and block assault campaigns rapidly, and persevering with to spend money on analysis, safety, and security to strengthen mannequin robustness and infrastructure defenses. The corporate additionally has options reminiscent of “logged out mode” which lets ChatGPT act with out account credentials, and “Watch Mode” to assist preserve customers conscious and in management when the agent operates on delicate websites.
When reached for remark, OpenAI referred Fortune to Stuckey’s feedback.
AI browsers create a brand new assault floor
A number of social media customers have shared early examples of efficiently utilizing a lot of these immediate injection assaults towards ChatGPT Atlas. One consumer demonstrated how Atlas could possibly be exploited by way of clipboard injection. By embedding hidden “copy to clipboard” actions in buttons on a webpage, the consumer confirmed that when the AI agent navigates the location, it might unknowingly overwrite the consumer’s clipboard with malicious hyperlinks. Later, if the consumer pastes usually, they could possibly be redirected to phishing websites and have delicate login info stolen, together with MFA codes.
In Comet, Courageous additionally discovered that attackers can conceal instructions in photos which might be executed when a consumer takes a screenshot, whereas in Fellou—one other agentic AI browser—merely navigating to a malicious webpage can set off the AI to observe dangerous directions.
“These are significantly more dangerous than traditional browser vulnerabilities,” Chalhoub stated. “With an AI system, it’s actively reading content and making decisions for you. So the attack surface is much larger and really invisible. Whereas in the past, with a normal browser, you needed to take a number of actions to be attacked or infected.”
“The security and privacy risks involved here still feel insurmountably high to me,” U.Ok.-based programmer Simon Willison stated of ChatGPT Atlas in his weblog. “I’d like to see a deep explanation of the steps Atlas takes to avoid prompt injection attacks. Right now, it looks like the main defense is expecting the user to carefully watch what agent mode is doing at all times!”
Customers might underestimate data-sharing dangers
There are additionally questions round privateness and knowledge retention. Notably, ChatGPT Atlas asks customers to choose in to share their password keychains, one thing that could possibly be exploited by malicious assaults aimed on the browser’s agent.
“The challenge is that if you want the AI assistant to be useful, you need to give it access to your data and your privileges, and if attackers can trick the AI assistant, it is as if you were tricked,” Srini Devadas, MIT Professor and CSAIL Principal Investigator, stated.
Devadas stated that the primary privateness concern with AI browsers is the potential leakage of delicate consumer knowledge, reminiscent of private or monetary info, when non-public content material is shared with AI servers. He additionally warned that AI browsers would possibly present incorrect info as a result of mannequin hallucinations and that process automation could possibly be exploited for malicious functions, like dangerous scripting.
“The integration layer between browsing and AI is a new attack surface,” he stated.
Chalhoub added that it could possibly be straightforward for much less technically literate customers to obtain these browsers and assume privateness is constructed into the product.
“Most users who download these browsers don’t understand what they’re sharing when they use these agents, and it’s really easy to import all of your passwords and browsing history from Chrome, and I don’t think users realize it, so they’re not really opting in knowingly,” he stated.
