Cybersecurity consultants are warning that OpenAI’s new browser, ChatGPT Atlas, could possibly be weak to malicious assaults that would flip AI assistants towards customers, probably stealing delicate information and even draining their financial institution accounts.
The AI firm launched Atlas on Tuesday, with the objective of introducing an AI browser that may ultimately assist customers execute duties throughout the web in addition to seek for solutions. Somebody planning a visit, for instance, may additionally use Atlas to seek for concepts, plan an itinerary, after which ask it to e-book flights and lodging immediately.
ChatGPT Atlas has a number of new options, comparable to “browser recollections,” which permit ChatGPT to recollect key particulars from a person’s internet searching to enhance chat responses and provide smarter strategies, and an experimental “agent mode,” the place ChatGPT can take over searching and interacting with webpages for a person.
The browser is a part of a wider push by the corporate to develop ChatGPT from an app right into a broader computing platform. It additionally places OpenAI extra immediately in competitors with Google and Microsoft, in addition to newer gamers comparable to Perplexity, which has launched an AI-powered browser of its personal, referred to as Comet. (Google has additionally built-in its Gemini AI mannequin into its Chrome browser.)
Nonetheless, cybersecurity consultants warn that every one present AI browsers pose new safety dangers, notably in terms of what is known as “immediate injection”—a sort of assault the place malicious directions are given to an AI system to make it behave in unintended methods, comparable to revealing delicate info or performing dangerous actions.
“There’ll at all times be some residual dangers round immediate injections as a result of that’s simply the character of methods that interpret pure language and execute actions,” George Chalhoub, assistant professor at UCL Interplay Centre, informed Fortune. “Within the safety world, it’s a little bit of a cat-and-mouse recreation, so we will count on to see different vulnerabilities emerge.”
The core concern is that AI browsers can fail to tell apart between the directions, or immediate, written by a trusted person from the textual content written on untrusted webpages. Which means a hacker may arrange a webpage containing directions that any mannequin visiting the positioning ought to, for instance, open up the person’s electronic mail in a recent tab and export all of the person’s messages to the attacker. In some instances, attackers may disguise these directions—by utilizing white textual content on a white background, for example, or utilizing machine code someplace on the positioning—which might be arduous for a human person to identify, however which the AI browser will nonetheless learn.
“The principle threat is that it collapses the boundary between the information and the directions: it may flip an AI agent in a browser from a useful instrument to a possible assault vector towards the person,” Chalhoub added. “So it might probably go and extract your whole emails and steal your private information from work, or it might probably log into your Fb account and steal your messages, or extract your whole passwords, so that you’ve given the agent unfiltered entry to your whole accounts.”
In a post on X, Dane Stuckey, OpenAI’s Chief Data Safety Officer, stated the corporate was “very thoughtfully researching and mitigating” the dangers round immediate injections.
“Our long-term objective is that you need to be capable to belief ChatGPT agent to make use of your browser, the identical means you’d belief your most competent, reliable, and security-aware colleague or buddy,” he wrote. “For this launch, we’ve carried out intensive red-teaming, carried out novel mannequin coaching methods to reward the mannequin for ignoring malicious directions, carried out overlapping guardrails and security measures, and added new methods to detect and block such assaults. Nonetheless, immediate injection stays a frontier, unsolved safety drawback, and our adversaries will spend vital time and assets to search out methods to make ChatGPT agent fall for these assaults.”
Stuckey stated the corporate had carried out a number of measures to mitigate dangers and defend customers, together with constructing fast response methods to detect and block assault campaigns rapidly, and persevering with to put money into analysis, safety, and security to strengthen mannequin robustness and infrastructure defenses. The corporate additionally has options comparable to “logged out mode” which lets ChatGPT act with out account credentials, and “Watch Mode” to assist maintain customers conscious and in management when the agent operates on delicate websites.
When reached for remark, OpenAI referred Fortune to Stuckey’s feedback.
AI browsers create a brand new assault floor
A number of social media customers have shared early examples of efficiently utilizing these kind of immediate injection assaults towards ChatGPT Atlas. One user demonstrated how Atlas could possibly be exploited through clipboard injection. By embedding hidden “copy to clipboard” actions in buttons on a webpage, the person confirmed that when the AI agent navigates the positioning, it may unknowingly overwrite the person’s clipboard with malicious hyperlinks. Later, if the person pastes usually, they could possibly be redirected to phishing websites and have delicate login info stolen, together with MFA codes.
Moreover, simply hours after ChatGPT Atlas launched, Brave, an open-source browser firm, posted a weblog detailing a number of assaults AI browsers are notably weak to, together with oblique immediate injections. The corporate previously exposed a vulnerability in Perplexity’s Comet browser that allowed attackers to embed hidden instructions in webpages, which the AI may execute when requested to summarize the web page and probably expose delicate information comparable to person emails.
In Comet, Courageous additionally discovered that attackers can disguise instructions in photos which might be executed when a person takes a screenshot, whereas in Fellou—one other agentic AI browser—merely navigating to a malicious webpage can set off the AI to comply with dangerous directions.
“These are considerably extra harmful than conventional browser vulnerabilities,” Chalhoub stated. “With an AI system, it’s actively studying content material and making selections for you. So the assault floor is far bigger and actually invisible. Whereas prior to now, with a traditional browser, you wanted to take a lot of actions to be attacked or contaminated.”
“The safety and privateness dangers concerned right here nonetheless really feel insurmountably excessive to me,” U.Okay.-based programmer Simon Willison said of ChatGPT Atlas in his blog. “I’d wish to see a deep rationalization of the steps Atlas takes to keep away from immediate injection assaults. Proper now, it seems to be like the primary protection is anticipating the person to fastidiously watch what agent mode is doing always!”
Customers might underestimate data-sharing dangers
There are additionally questions round privateness and information retention. Notably, ChatGPT Atlas asks customers to choose in to share their password keychains, one thing that could possibly be exploited by malicious assaults aimed on the browser’s agent.
“The problem is that in order for you the AI assistant to be helpful, you have to give it entry to your information and your privileges, and if attackers can trick the AI assistant, it’s as for those who had been tricked,” Srini Devadas, MIT Professor and CSAIL Principal Investigator, stated.
Devadas stated that the primary privateness concern with AI browsers is the potential leakage of delicate person information, comparable to private or monetary info, when non-public content material is shared with AI servers. He additionally warned that AI browsers may present incorrect info because of mannequin hallucinations and that job automation could possibly be exploited for malicious functions, like dangerous scripting.
“The combination layer between searching and AI is a brand new assault floor,” he stated.
Chalhoub added that it could possibly be simple for much less technically literate customers to obtain these browsers and assume privateness is constructed into the product.
“Most customers who obtain these browsers don’t perceive what they’re sharing after they use these brokers, and it’s very easy to import your whole passwords and searching historical past from Chrome, and I don’t suppose customers notice it, so that they’re not likely opting in knowingly,” he stated.
