Experts Alert on Prompt Injection in ChatGPT Atlas

I am opting out of OpenAI’s new Atlas browser — and if you value your privacy, and accounts, then so should you. The pitch is irresistible: a browser into which ChatGPT can open tabs, click buttons, and fill out forms so you don’t have to. But agentic browsing opens a new, high-impact risk surface that defenders don’t have complete control of — and attackers are already poking at it.

What Atlas Does and Why It’s So Different

Atlas isn’t just another chatbot sidebar. As an agent, it can pretend to be you: It can simulate your mouse and keypresses, scan websites, and act on your behalf. That’s a striking contrast from assistants like Gemini in Chrome, which summarize pages but don’t take over operating the browser for you. The difference between them is crucial because authority changes the threat model — if a model may take actions, then a wayward instruction encountered on a page can become actual clicks, form submissions, and data exfiltration.

Theoretical Prompt Injection Is Now Reality

Security researchers have already demonstrated how easily models can be guided by concealed content. Within hours of Atlas going live, proofs of concept were posted to show how “invisible” instructions buried in documents and images could control the model. In one, it did not listen to the user’s request and echoed in reply a concealed message; in another, it quietly modified a browser setting. These are classic prompt injection techniques — much like in the early days with SQL injection, except that the “database” here is the instruction stream and the blast radius is your logged-in session.

The browser-producing company Brave publicly disclosed several prompt injection-related vulnerabilities in agentic assistants. The LLM Top 10 now categorizes the risk as prompt injection. OWASP has addressed the issue, and CISA and the UK NCSC have both published guidance warning that agent capabilities can amplify the impact of adversarial prompts within seemingly regular data.

Why Safeguards Fail in the Real World Today

OpenAI says Atlas doesn’t land on sensitive sites and restricts destructive behavior. That’s good to hear, but models today don’t provide deterministic guarantees. They are probabilistic systems conditioned on context windows that can be poisoned through HTML, CSS, alt text, PDFs, screenshots, and even faintly styled text. When the model owns the keys — your cookies, tokens, and stored passwords — context manipulation is account manipulation.

Most important, the fix isn’t strictly server-side. A website owner could fix and safeguard users from SQL injection, for example. In agentic browsing, the model runs on your machine and in your session, generating the same inputs as you. If such a jailbreak works on Tuesday, every Atlas user is vulnerable until we ship a new client or model update — that’s assuming the problem is fixed before then.

We have already seen how insecure session security can be. Campaigns of cookie theft directed toward creators — in which stolen tokens can be used to bypass passwords and even two-factor challenges — have been documented by Google’s own security teams. An AI capable of clicking through flows and reading on-screen prompts doesn’t create such a risk by itself, but it opens the door for attackers to take advantage of it indirectly, when even a single hidden instruction might actually trigger it.

Breaches Are Still Driven by the Human Element

Even though most organizations are wary of the human aspect, people still play a role in most breaches, according to the Verizon Data Breach Investigations Report. Agentic browsers impose higher cognitive demands on users because behind-the-scenes operations are so easy. That’s a dangerous cocktail: people are “asked” to “oversee” an AI’s actions while the AI speedily chases tasks you can’t reasonably audit in real time.

Throw in the unpredictability of generative systems — think back to those early chatbot days when they spat out unhinged responses or gave confidently wrong instructions — and you have a recipe for high-impact errors. If a model can persuasively talk you into taking a bad click, think what happens when it can simply make that click on your behalf.

What Design Choices Are Better Available Today

There is a safer way: put AI on the read-only path, and only allow explicitly escalated privileges.

As a result, assistants can summarize, translate, and extract without ever needing to touch your session’s state. Most mainstream browsers are handling AI this way for now, and until that ecosystem demonstrates it can effectively contain adversarial prompts, it’s exactly the right call.

Standards bodies are on the move, but not nearly quickly enough. NIST’s AI Risk Management Framework and CISA and the UK NCSC’s joint secure AI guidance emphasize least privilege, strong isolation, and human-in-the-loop controls. Going in the opposite direction is Atlas’s Agent mode, which operates as a main browser with complete credential access.

If You Must Try It, Proceed Like a Security Pro

If you have to gamble, then overreact.

• Run in a different OS profile or a disposable VM.
• Don’t use your main passwords (even if you don’t know them all yet); use a dedicated password manager limited to the domain.
• Use 2FA with hardware tokens.
• Limit time logged in to banks, email, and cloud consoles.
• Treat any document or site as adversarial — a timely injection could exploit it.

Bottom Line: Agentic Browsing Carries Real Risks Today

The potential of agentic browsing is real, but so are the perils. Until you can audit model behavior, verify guardrails, and rely on mature browser-level isolation — I won’t trust ChatGPT to drive my tabs, and neither should you. Make sure AI is a copilot, not the pilot.