Why You Shouldn't Download ChatGPT’s AI Browser Just Yet
OpenAI has launched a new browser called ChatGPT Atlas, promising a smarter and more personal way to surf the web. It is designed to act like an assistant that moves with you from site to site, understanding what you see and even performing tasks on your behalf. Aside from sounding a little dystopian, almost like doom scrolling but with browsing, security experts say this level of access comes with serious risks.
Atlas relies on two key features. The first is called browser memories, which tracks the sites you visit and how you interact with them to make future responses more personal. The second is agent mode, which allows the AI to click on links, fill out forms, and navigate websites without you doing it manually. This combination gives the browser more power than traditional tools like Google Chrome or Safari. It also makes it a potential target.
Researchers have already shown how attackers can trick Atlas through what’s called a prompt injection attack. In simple terms, this attack hides instructions inside text the AI is trained to trust. Instead of typing those instructions directly, the attacker buries them in something that looks harmless, like a regular URL or snippet of code. When the user clicks or pastes it, the AI reads those hidden commands as legitimate and follows them. In testing, this allowed attackers to redirect users to phishing pages, access emails or cloud files, and trigger unwanted downloads or transactions.
Also, this browser can see everything you do. It observes the pages you visit, the text you read, how long you stay, and the actions you take afterward. Over time, it builds a detailed picture of your behavior and personal interests. Even if you delete your browsing memories, the system can still make inferences based on past activity. Experts warn that this can expose sensitive details such as financial records, work files, or health information.
Prompt injection is not a new kind of attack, but with AI browsers, it becomes much more dangerous. Hackers can hide instructions on web pages in white text, tuck them into image files, or use fake sidebars that look like the real AI assistant. Since the AI has the same permissions as the user, these attacks can bypass normal security defenses. The browser essentially acts on your behalf, which means any trick played on the AI is played on you too, with real consequences.
Even OpenAI acknowledges these issues. Their Chief Information Security Officer, Dane Stuckey, described prompt injection as an “unsolved security problem.” The company has added privacy settings, logged-out browsing, and real-time monitoring tools, but none of these fully solve the problem. Security researcher Martí Jordà has pointed out that Atlas treats omnibox prompts as trusted input, which makes it especially vulnerable to manipulation compared to regular browsers.
Other companies like Perplexity and Brave Software Inc. are facing similar problems with their AI browsers. Until the industry develops stronger protections, using these tools means accepting a tradeoff between convenience and privacy.
For more articles like this, check out our Tech News page!