Skip to main content
  1. Home
  2. Computing
  3. News

Your AI browser can be hijacked by prompt injection, OpenAI just patched Atlas

OpenAI says an internal automated red team uncovered a new class of agent-in-browser attacks, prompting a security update with a newly adversarially trained model and stronger safeguards.

By
Add as a preferred source on Google
A dark mystery hand typing on a laptop computer at night.
Andrew Brookes / Getty Images

OpenAI has shipped a security update to ChatGPT Atlas aimed at prompt injection in AI browsers, attacks that hide malicious instructions inside everyday content an agent might read while it works.

Atlas’s agent mode is built to act in your browser the way you would: it can view pages, click, and type to complete tasks in the same space and context you use. That also makes it a higher-value target, because the agent can encounter untrusted text across email, shared documents, forums, social posts, and any webpage it opens.

Recommended Videos

The company’s core warning is simple. Hackers can trick the agent’s decision-making by smuggling instructions into the stream of information it processes mid-task.

A hidden instruction, big consequences

OpenAI’s post highlights how quickly things can go sideways. An attacker seeds an inbox with a malicious email that contains instructions written for the agent, not the human.

Later, when the user asks Atlas to draft an out-of-office reply, the agent runs into that email during normal work and treats the injected instructions as authoritative. In the demo scenario, the agent sends a resignation letter to the user’s CEO, and the out-of-office never gets written.

If an agent is scanning third-party content as part of a legitimate workflow, an attacker can try to override the user’s request by hiding commands in what looks like ordinary text.

An AI attacker gets practice runs

To find these failures earlier, OpenAI says it built an automated attacker model and trained it end-to-end with reinforcement learning to hunt for prompt-injection exploits against a browser agent. The goal is to pressure-test long, realistic workflows, not just force a single bad output.

The attacker can draft a candidate injection, run a simulated rollout of how the target agent would behave, then iterate using the returned reasoning and action trace as feedback. OpenAI says privileged access to those traces gives its internal red team an advantage external attackers don’t have.

What to do with this now

OpenAI frames prompt injection as a long-term security problem, more like online scams than a bug you patch once. Its approach is to discover new attack patterns, train against them, and tighten system-level safeguards.

For users, you should use logged-out browsing when you can, scrutinize confirmations for actions like sending email, and give agents narrow, explicit instructions instead of broad “handle everything” prompts. If you’re still curious what AI browsing can do, then go with browsers that ship updates that benefit you.

Paulo Vargas
Paulo Vargas
News Writer
Paulo Vargas is an English major turned reporter turned technical writer, with a career that has always circled back to…
Topics
Claude’s Sonnet 5 is built to do more on its own and cost you less
Better than its predecessor, nearly as good as the flagship, and meaningfully cheaper than both.
Art, Floral Design, Graphics

Every major AI lab is racing to prove its models can work autonomously with minimal hand-holding; we’re now seeing pricing emerge as the next battleground. 

Anthropic just fired its latest shot, Claude Sonnet 5, a model the company says performs nearly as well as its flagship Opus 4.8 at a fraction of the cost.

Read more
Apple Creator Studio adds AI tools across Final Cut Pro, Logic Pro and Pixelmator Pro
Final Cut Pro gets AI captions, Auto Mask and better Pixelmator Pro workflows in Creator Studio update
Computer Hardware, Electronics, Hardware

Apple has introduced a major update to Apple Creator Studio, adding new AI features, deeper Pixelmator Pro integration, and workflow upgrades across Final Cut Pro, Logic Pro, Keynote, Pages, Numbers, Motion, Compressor, Freeform, and Final Cut Camera.

The update makes Creator Studio more useful across Mac, iPad, and iPhone, especially for people who move between video editing, image editing, presentations, documents, spreadsheets, and music production.

Read more
AI browsers like Perplexity Comet can be tricked into spilling your password through BioShocking exploit
Six AI browsers were found leaking saved passwords and many of them haven't fixed it yet.
MacBook Air in hand, Comet browser loaded—let’s see what Perplexity’s AI can really do

Security researchers just found a strange way to trick AI browsers into handing over your passwords. They managed to trick AI browser agents into exposing sensitive data like saved passwords, session cookies, and private tokens by disguising the theft as part of a harmless "game."

The technique is called BioShocking, named after the popular video game BioShock, where a brainwashed character is manipulated into believing a false reality. Once an AI browser falls for the same trick, it stops following its own safety rules entirely.

Read more