OpenAI has released its ChatGPT Atlas browser, a new application that integrates a chatbot interface into a Chromium-based web browser, prompting concerns from security experts regarding online privacy and data protection.
A central feature of the browser is “Memories,” which OpenAI describes as an enhanced version of a standard web history. This feature is enabled by default and is designed to collect data to improve the AI’s performance. “Memories” saves contextual information about the websites users visit, documents they view, and their interactions and preferences. The stated goal is to allow users to find information using conversational language rather than needing to recall exact URLs or keywords. The browser’s privacy and data controls indicate that OpenAI is saving detailed information about user habits directly upon installation.
OpenAI states that the browser is designed to exclude certain sensitive data from its memory. The company specifies it will not save personally identifiable information, including government IDs, Social Security numbers, and bank account details. Other excluded data types are online credentials, account recovery information, addresses, medical records, and financial details. The browser also has filters to avoid saving summaries from what it terms “certain sensitive websites (like adult sites).” For additional control, users can manually prevent specific pages from being saved by using a “page visibility” button located in the address bar.
ChatGPT Atlas includes an AI agent that can browse the web and perform tasks on behalf of the user. This functionality has been a point of failure in other AI-powered browsers. Earlier this year, Perplexity’s Comet browser was compromised through simple prompt injection attacks. Security researchers demonstrated that hidden text on a website could hijack the agent, allowing it to reveal a user’s login credentials and share an authentication code.
Security researcher Simon Willison raised alarms about the potential for similar attacks on Atlas. In a blog post, Willison wrote, “I’d like to see a deep explanation of the steps Atlas takes to avoid prompt injection attacks. Right now it looks like the main defense is expecting the user to carefully watch what agent mode is doing at all times!” He also characterized the security and privacy risks associated with browser agents as “insurmountably high.”
Less than 24 hours after the browser’s launch, a security vulnerability was publicly demonstrated. A hacker with the online handle @elder_plinius showed that the Atlas Agent is susceptible to a “clipboard injection” attack. The demonstration showed how the agent could be manipulated into copying a malicious link. A user who later pastes this link could be directed to a phishing site designed to steal their credentials.
The discovery of a security flaw so soon after release has led experts to warn of potentially larger, “canyon-sized” privacy and security holes in AI browsers. The combination of the browser’s extensive data collection for personalization with its potential security weaknesses is being described as a significant risk.
