Why You Shouldn't Download ChatGPT’s AI Browser Just Yet
OpenAI has launched a new browser called ChatGPT Atlas, promising a smarter and more personal way to surf the web. It is designed to act like an assistant that moves with you from site to site, understanding what you see and even performing tasks on your behalf. But security experts say this level of access comes with serious risks.
Atlas relies on two key features. The first is called browser memories, which tracks the sites you visit and how you interact with them to make future responses more personal. The second is agent mode, which allows the AI to click on links, fill out forms, and navigate websites without you doing it manually. This combination gives the browser more power than traditional tools like Google Chrome or Safari. It also makes it a potential target.
Researchers have already shown how attackers can trick Atlas through what’s called a prompt injection attack. This involves hiding harmful commands inside what looks like a normal URL. When someone pastes or clicks that link, the AI treats the hidden instructions as if they came from the user. In testing, this method could redirect someone to phishing pages, access emails or cloud files, and even trigger unwanted downloads or transactions.
Atlas also raises major privacy concerns. Unlike search engines that only collect your queries, this browser can see everything you do. It observes the pages you visit, the text you read, how long you stay, and the actions you take afterward. Over time, it builds a detailed picture of your behavior and personal interests. Even if you delete your browsing memories, the system can still make inferences based on past activity. Security experts warn that this can expose sensitive details such as financial records, work files, or health information.
Prompt injection is not a new kind of attack, but with AI browsers, it becomes much more dangerous. Hackers can hide instructions on web pages in white text, tuck them into image files, or use fake sidebars that look like the real AI assistant. Since the AI has the same permissions as the user, these attacks can bypass normal security defenses. The browser essentially acts on your behalf, which means any trick played on the AI can have real consequences.
Even OpenAI acknowledges these issues. Their Chief Information Security Officer, Dane Stuckey, described prompt injection as an “unsolved security problem.” The company has added privacy settings, logged-out browsing, and real-time monitoring tools, but none of these fully solve the problem. Security researcher Martí Jordà has pointed out that Atlas treats omnibox prompts as trusted input, which makes it especially vulnerable to manipulation compared to regular browsers.
Experts recommend being cautious. Atlas may be convenient, but it is not ready for sensitive use. It is safer to keep online banking, work accounts, and private data separate from this browser. Strong passwords and multi-factor authentication help, but they cannot eliminate the core risk built into the design.
Other companies like Perplexity and Brave Software Inc. are facing similar problems with their AI browsers. Until the industry develops stronger protections, using these tools means accepting a tradeoff between convenience and privacy.
For more articles like this, check out our Tech News page!