Why OpenAI’s Atlas Browser Faces Critical Prompt Injection Threats

OpenAI recently released the new Atlas browser, which follows malicious commands embedded in web pages, a type of attack known as indirect prompt injection.

Brave Software’s report highlighted that instant injection vulnerabilities are a common flaw in AI‑agent browsers such as Perplexity‑integrated Comet and Fellou.

OpenAI expressed excitement about Atlas’s debut, but warned that when AI models or agents treat web content as part of an instruction, indirect prompt injection can occur, unlike direct injection where commands are entered directly into the model’s input.

Brave senior mobile security engineer Artem Chaikin and privacy‑security VP Shivan Kaul wrote that their findings confirm that indirect prompt injection is a systemic challenge across the entire AI‑browser category.

Security researcher Avram Piltch created a webpage that instructed the browser to open Gmail, fetch the subject of the first email, and send it to another site; the attack succeeded.

ChatGPT Atlas product lead Pranav Vishnu warned users that the AI‑browser hybrid could pose risks.

The community quickly demonstrated Atlas (a Chromium‑based browser) being used for indirect prompt injection, allowing ChatGPT to act as a web‑data agent.

Developer CJ Zafir posted on social media that after confirming “instant injection is real,” he uninstalled Atlas.

Another researcher showed a successful prompt‑injection test using Google Docs, causing Atlas’s ChatGPT to output “Trust No AI” instead of the expected summary.

AI security researcher Johann Rehberger reported many other prompt‑injection attacks against AI models and tools, publishing a Google Docs‑based demonstration that switched the browser theme from dark to highlighted.

OpenAI CISO Dane Stuckey tweeted a long post acknowledging the rapid‑injection risk and outlining mitigation strategies.

Stuckey wrote that the emerging risk of instant injection involves attackers hiding malicious commands in websites, emails, or other sources to trick agents into unintended actions.

He explained that OpenAI’s long‑term goal is to make people trust ChatGPT’s AI agents like a security‑conscious friend, but Atlas is not yet ready for full trust.

OpenAI has added extensive red‑team testing, novel model‑training techniques to ignore malicious instructions, overlapping safeguards, and new systems to detect and block such attacks, yet instant injection remains an unsolved frontier.

Rehberger expressed interest in learning more about Atlas and noted that instant injection is a major emerging threat to confidentiality, integrity, and availability, with no perfect mitigation—similar to social‑engineering attacks on humans.

OpenAI’s defenses make exploitation challenging, but carefully crafted malicious content can still cause Atlas to emit attacker‑controlled responses or invoke tools, as shown in a benign prank that changed the browser window’s appearance during interaction.

This underscores the importance of downstream security controls and human oversight when LLM outputs are used in automated systems.

Atlas now introduces a new login/logout mode to let users balance risk and control data access, reflecting OpenAI’s awareness of the threat.

Rehberger warned that AI‑agent systems are still early‑stage, with many threats yet undiscovered.

In a pre‑release paper from December, Rehberger described how instant injection undermines the CIA triad—confidentiality, integrity, and availability.

He concluded that because instant injection lacks deterministic solutions, documenting and implementing security guarantees in applications handling untrusted data is crucial, and the recurring advice remains: don’t trust AI blindly.