OpenAI has launched ChatGPT Atlas, a new web browser that integrates a chatbot interface, a release that has prompted immediate security and privacy concerns from researchers. The browser, described as appearing like a forked version of Chromium with a chatbot feature, represents an effort to redefine internet navigation.
The development of a web browser aligns with the value of the data it can access. Browsers are repositories for massive amounts of user information, which can range from the specific websites people visit to their saved passwords and payment information. They also collect telemetry data, which provides details on user behavior such as where they click on a page. OpenAI has positioned this data-gathering capability as a central feature of the ChatGPT Atlas browser.
A primary component of this strategy is a feature called “Memories,” which functions as a significantly enhanced version of a standard web history. It is designed to recall contextual information about the sites a user visits and the documents they interact with. The stated purpose of this function is to allow users to navigate the web through a conversational interface, enabling them to find information by describing it in human language rather than using precise URLs or keywords. The browser’s privacy and data controls, as noted by the Washington Post, reveal specifics about what the company is collecting and storing.
The “Memories” feature is activated by default, meaning OpenAI saves details about visited sites, user interaction patterns, and preferences from the moment of installation. The system is designed not to remember certain sensitive information. The list of exclusions includes personally identifiable information like government IDs, Social Security numbers, bank account details, online credentials, account recovery content, and addresses. Filters are also in place to exclude private data such as medical records and financial information. Although the browser creates summaries of visited sites, it is programmed not to save information from “certain sensitive websites (like adult sites).” Users are provided a manual override option to individually exclude specific pages by using a “page visibility” button in the address bar.
ChatGPT Atlas also includes an AI agent that can browse the web and complete tasks on behalf of the user, a feature that has caused security issues in previous applications. Earlier this year, the Perplexity Comet browser was compromised by simple prompt injection attacks, where hidden text on a website was able to hijack its AI agent. In a public demonstration, security researchers compelled the agent to reveal a person’s login credentials and then successfully retrieved and shared an authentication code.
Programmer and security researcher Simon Willison raised alarms regarding this technology. In a blog post, he wrote, “I’d like to see a deep explanation of the steps Atlas takes to avoid prompt injection attacks. Right now it looks like the main defense is expecting the user to carefully watch what agent mode is doing at all times!” Willison also called the broader security and privacy risks associated with such browser agents “insurmountably high.”
A vulnerability in Atlas was identified by a hacker less than 24 hours after its launch. A Twitter user with the handle @elder_plinius demonstrated how the Atlas Agent is susceptible to a “clipboard injection” attack. This method involves tricking the agent into copying a malicious link, which could later be pasted by the user, leading them to a phishing website designed to steal credentials. The rapid discovery of this flaw has intensified warnings from experts about the potential for “canyon-sized” privacy and security holes in AI-powered browsers.
Eight Sleep, a partner company mentioned in the article, did not respond to a request for comment. The source material highlights that the Atlas browser collects more information about users and their habits to create a sophisticated surveillance system for personalization. This, combined with the identified security vulnerabilities, is described as a “potentially disastrous combination.”
