Key takeaways OpenAI deployed a December 2025 security update to ChatGPT Atlas using adversarially trained models and automated red teaming, while acknowledging that prompt injection attacks may never...
When OpenAI launched ChatGPT Atlas on October 21, 2025, security researchers immediately identified serious weaknesses in the Mac-only browser.
Testing revealed a concerning 5.8% phishing block rate, dramatically lower than traditional browsers like Chrome at 47% and Microsoft Edge at 53%.
Prompt injection attacks emerged as the most significant threat, where malicious actors embed hidden commands within webpages, documents, or emails that can manipulate the AI's behavior.
Security firm LayerX discovered a vulnerability dubbed "Tainted Memories" that exploits cross-site request forgery to inject malicious instructions into ChatGPT's memory, which then persists across all devices and browsers where a user's account is logged in.
"The main risk is that it collapses the boundary between the data and the instructions: It could turn an AI agent in a browser from a helpful tool to a potential attack vector against the user," Maxime Chalhoub, a cybersecurity researcher, told Fortune.
"So it can go and extract all of your emails and steal your personal data from work, or it can log into your Facebook account and steal your messages, or extract all of your passwords, so you've given the agent unfiltered access to all of your accounts."
In response to mounting security concerns, OpenAI has implemented what it calls an "LLM-based automated attacker"—an AI system trained through reinforcement learning to simulate sophisticated cyber attacks before they occur in the wild.
This automated red teaming approach allows the company to discover and patch vulnerabilities at scale.
"Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully 'solved,'" OpenAI stated in its Monday blog post.
The company conceded that "agent mode" in ChatGPT Atlas expands the security threat surface."
Dane Stuckey, OpenAI's Chief Information Security Officer, emphasized the company's commitment to security in an October post on X: "Our long-term goal is that you should be able to trust ChatGPT agent to use your browser, the same way you'd trust your most competent, trustworthy, and security-aware colleague or friend."
The December security update includes a newly adversarially trained model and strengthened safeguards.
OpenAI demonstrated one attack discovered by its automated system, where a malicious email planted in a user's inbox contained hidden instructions directing the agent to send a resignation letter to the user's CEO instead of drafting an out-of-office reply.
Despite OpenAI's security enhancements, cybersecurity experts remain cautious about AI browsers' readiness for widespread adoption.
Rami McCarthy, Principal Security Researcher at Wiz, told TechCrunch: "A useful way to reason about risk in AI systems is autonomy multiplied by access.
Agentic browsers tend to sit in a challenging part of that space: moderate autonomy combined with very high access."
McCarthy added: "For most everyday use cases, agentic browsers don't yet deliver enough value to justify their current risk profile.
The risk is high given their access to sensitive data like email and payment information, even though that access is also what makes them powerful."
Charlie Eriksen, a security researcher at Aikido Security, expressed similar concerns to Fortune: "What concerns me is that we're trying to retrofit one of the most security-sensitive pieces of consumer software with a technology that's still probabilistic, opaque, and easy to steer in subtle ways. Red-teaming and AI-based vulnerability hunting can catch obvious failures, but they don't change the underlying dynamic."
Beyond security vulnerabilities, ChatGPT Atlas raises significant privacy concerns.
The browser's "browser memories" feature retains extensive information about pages viewed and user actions, creating what some experts describe as a potential "honeypot" for attackers.
Lena Cohen, a staff technologist at the Electronic Frontier Foundation, told the Washington Post that in her testing, Atlas memorized sensitive queries about reproductive health services, including the name of a real doctor.
OpenAI recommends users take several precautions to reduce risk.
The company advises limiting logged-in access when possible, carefully reviewing agent confirmation requests before proceeding, and providing specific instructions rather than broad commands.
"Wide latitude makes it easier for hidden or malicious content to influence the agent, even when safeguards are in place," OpenAI stated.
The browser includes safety features such as "logged out mode" and "Watch mode," which require users to explicitly confirm sensitive actions like sending messages or making payments.
OpenAI also restricts the agent from executing code, downloading files, accessing the file system, or using autofill data.
OpenAI's challenges with ChatGPT Atlas reflect broader security issues facing the entire AI browser industry.
A recent academic study evaluated eight popular browser agents released or updated in 2025, including ChatGPT Atlas, Perplexity's Comet, and Google's Project Mariner, finding at least one significant vulnerability in every product tested.
The UK's National Cyber Security Centre warned earlier this month that prompt injection attacks against generative AI applications "may never be totally mitigated," putting websites and users at ongoing risk.
Dennis Xu, an analyst at Gartner, issued a stark recommendation: "Enterprises should block all AI agent browsers until adequate security controls are proven."
OpenAI maintains an optimistic outlook despite acknowledging the persistent nature of these threats.
"We're optimistic that a proactive, highly responsive rapid response loop can continue to materially reduce real-world risk over time," the company stated.
"By combining automated attack discovery with adversarial training and system-level safeguards, we can identify new attack patterns earlier, close gaps faster, and continuously raise the cost of exploitation."
The company plans to expand ChatGPT Atlas to Windows, iOS, and Android platforms, though no specific timeline has been announced.
Hearten AI Launches Relationship Coaching App With Integrated Somatic Therapy Tools
ByteDance’s AI Smartphone Sparks Industry Backlash In China
Nvidia Strikes $20 Billion Deal With AI Chip Startup Groq
Key takeaways OpenAI has signed a multi-year, $10 billion agreement with AI chipmaker Cerebras Systems to secure computing infrastructure. The deal will deliver 750 megawatts of computing power throug...
KEY TAKEAWAYS: xAI implemented restrictions preventing Grok from editing images of real people in revealing clothing after global backlash California Attorney General Rob Bonta launched investigation...
Key takeaways TSMC reported fourth-quarter net income of NT$505.74 billion, beating analyst expectations and setting a new record. Fourth-quarter revenue reached NT$1.046 trillion, up 20.5% year over...
