Malicious URLs can "jailbreak" Atlas, bypassing safety features.
The vulnerability allows attackers to execute harmful commands like opening phishing pages or exporting data.
Atlas stores unencrypted OAuth tokens, granting unauthorized access to user accounts.
OpenAI has been in the spotlight since introducing the ChatGPT Atlas browser. The company claims that it is specifically designed to incorporate AI-powered assistance directly into web browsing. However, it has encountered a significant cyber security issue. According to reports, cybersecurity firm NeuralTrust has discovered a vulnerability that allows attackers to “jailbreak” the system by sending malicious prompts disguised as regular URLs.
SurveyAccording to the report, the flaw is how Atlas interprets input in its omnibox, unified address, and search bar. The feature was designed to allow users to navigate websites or send natural language commands to the AI assistant. However, the dual functionality creates a vulnerability in which attackers can create fake URLs that resemble legitimate web addresses but contain hidden commands.
In these cases, Atlas does not recognise the malformed URLs as valid links. Instead, the browser treats them as AI prompts with high trust, allowing embedded instructions to bypass safety measures. This means that an attacker could trick the browser into performing harmful actions such as opening phishing pages, exporting user data, or even deleting files, all without the user’s explicit consent.
The researchers demonstrated examples of such exploits, which the browser could interpret as an instruction rather than a navigation command. The problem arises because AI agents in Atlas have broader permissions than traditional browsers, which have stricter same-origin policies.
NeuralTrust, a cybersecurity firm, warned that this can be weaponised using simple tactics, such as malicious websites replacing a user’s clipboard content with prompt-injection code. When the user pastes the copied text into the Atlas omnibox, the embedded command is executed automatically.
The report also stated that Atlas stores OAuth tokens in an unencrypted format. This means that it grants unauthorised access to the connected user accounts.
In response, OpenAI acknowledged the problem, stating that prompt-injection attacks are still a known challenge for agentic systems like Atlas. The company said it is stepping up red-teaming efforts and training its models to better resist hidden instructions in web content or emails. OpenAI also advised users to turn on “logged-out mode,” which limits access to sensitive data while browsing.
Follow Us
Ashish Singh
Ashish Singh is the Chief Copy Editor at Digit. He's been wrangling tech jargon since 2020 (Times Internet, Jagran English '22). When not policing commas, he's likely fueling his gadget habit with coffee, strategising his next virtual race, or plotting a road trip to test the latest in-car tech. He speaks fluent Geek. View Full Profile
