OpenAI security chief warns ChatGPT Atlas browser vulnerable to hackers

OpenAI launched ChatGPT Atlas, its AI browser that can perform web actions like shopping and scheduling, but the company’s own security chief is warning users about potential risks. Dane Stuckey, OpenAI’s chief information security officer, cautioned that the browser “can still make (sometimes surprising!) mistakes, like trying to buy the wrong product or forgetting to check in with you before taking an important action,” highlighting vulnerabilities that could undermine consumer trust in AI-powered browsing.

The security concern: Prompt injection attacks pose an “emerging risk” where hackers embed malicious instructions in websites to manipulate AI agents into unintended behaviors.

• “The objective for attackers can be as simple as trying to bias the agent’s opinion while shopping, or as consequential as an attacker trying to get the agent to fetch and leak private data, such as sensitive information from your email, or credentials,” Stuckey explained.
• Large language models cannot determine the intent behind web content, making them susceptible to executing hacker-planted instructions they encounter online.

In plain English: Think of AI browsers like helpful assistants that can shop and schedule for you online. However, hackers can hide malicious instructions on websites—like leaving fake notes for the assistant to follow. Since AI can’t tell the difference between legitimate website content and these hidden traps, it might accidentally follow the hacker’s instructions instead of yours.

Industry-wide vulnerability: ChatGPT Atlas faces the same fundamental security challenges as other AI browsers currently in development.

• Anthropic’s Claude computer, Google’s Gemini on Chrome, and Perplexity’s Comet AI browser all share similar vulnerabilities to prompt injection attacks.
• Researchers at Brave Software, which develops the privacy-focused Brave browser, discovered that hackers can embed secret instructions into images to deliver prompt injection attacks via Perplexity’s Comet.

What they’re saying: OpenAI acknowledges the risks while emphasizing their commitment to security research and mitigation.

• “We are very thoughtfully researching and mitigating” this risk, Stuckey noted, though he warned that hackers may find new ways to influence AI agents.
• “As with computer viruses in the early 2000s, we think it’s important for everyone to understand responsible usage, including thinking about prompt injection attacks, so we can all learn to benefit from this technology safely.”

Current availability: ChatGPT Atlas is currently only available on macOS, suggesting a cautious rollout approach as OpenAI addresses these security concerns.

Business implications: These security vulnerabilities could threaten consumer adoption and represent a significant challenge to OpenAI’s revenue diversification efforts, as AI browsers promise to automate routine web tasks but require user trust to succeed in the marketplace.