OpenAI Shipped An AI Browser That Acts As You.
Then Admitted It Can Be Hijacked.

There is a category of AI failure that does not require the machine to lie, hallucinate, or break. It only requires the machine to do exactly what it was told, by someone who is not you. That is the failure documented here, and it arrived bundled inside a product OpenAI sold as the future of how people use the web. The pitch was seductive and simple: stop browsing yourself, and let an AI do it for you. The problem is that an AI which can act on your behalf can also act on a stranger's behalf, if the stranger knows how to leave instructions where the AI will read them.

On October 21, 2025, OpenAI launched ChatGPT Atlas, a web browser for Mac with ChatGPT built directly into it. Its headline feature was an agent mode: tell it what you want, and the browser will navigate sites, fill in fields, click buttons, and complete tasks using the accounts you are already signed into. The convenience is real. So is the attack surface, and that attack surface is the entire internet, because the internet is full of text, and this browser was built to follow text.

The Attack Has A Name, And No Cure

The technique is called prompt injection. The idea is almost embarrassingly simple. A large language model cannot reliably tell the difference between instructions it is supposed to follow, the ones you typed, and instructions that merely appear in the content it is reading, the ones an attacker planted on a web page, in an email, in a shared document, or in white-on-white text no human would ever notice. To the model, both arrive as words, and words are what it obeys. Hide the right sentence in the right place and the AI reading the page will treat a stranger's command as your own.

For a normal chatbot, that is bad enough. For a browser agent logged into your accounts, it is a different category of danger entirely. The instructions an attacker plants do not have to be a request for information. They can be an action: go to this site, read that field, send this data, click that button. The browser was given the keys, and prompt injection is the art of telling it to use them for someone else.

Within hours of the Atlas launch, demonstrations appeared showing that a few carefully placed words inside an ordinary document could change how the browser behaved. The day Atlas shipped, Brave's security team published findings explaining that indirect prompt injection is not an Atlas bug but a structural challenge facing every AI browser, naming Perplexity's Comet among the affected products. This was not one company's mistake. It was the shared foundation cracking.

OpenAI Said It Itself

The most damning testimony about this product did not come from a critic. It came from OpenAI's own chief information security officer, Dane Stuckey, who addressed the risk publicly the day after Atlas launched. He did not minimize it. He described prompt injection as a problem that has not been solved and warned that determined adversaries would keep hunting for ways to exploit it.

Read that sentence again with the product in mind. The company shipped a browser whose entire purpose is to act on your behalf across the live web, and its top security executive described the central attack against it as unsolved, frontier, and certain to draw sustained effort from adversaries. The honesty is admirable. The sequencing is the scandal. In any other industry, a vendor saying out loud that the core security flaw in a shipped product has no known fix would be a recall notice. In consumer AI, it was a feature launch with a footnote.

The Safeguards Are Real, And They Are Asking You To Do The Work

OpenAI did not pretend the danger away. It built guardrails, and they are worth naming honestly. The agent cannot run code in the browser, cannot download files, cannot install extensions, and cannot reach into other apps or your computer's file system. It offers a logged-out mode, where the agent browses without access to your credentials, so it can read and summarize but cannot log in or make purchases as you. It offers a watch mode, where on sensitive sites the agent pauses and requires you to keep watching, and stops if you switch away. The company also described faster systems to detect and block attack campaigns and training that rewards the model for ignoring malicious instructions.

Look closely at what those safeguards actually ask. The strongest protection, logged-out mode, works by removing the exact capability the product was sold on, acting as you. Watch mode protects you only as long as you sit and supervise the agent, which quietly cancels the time savings that were the entire reason to use it. The safest way to operate this AI browser is to either strip its powers or babysit it, which means the convenience and the safety are inversely related. You get one by giving up the other.

Hidden Text On A Page, And A Memory That Does Not Forget

The theory stopped being theory quickly. The security firm LayerX disclosed a vulnerability it called tainted memories, which abuses ChatGPT's memory feature, the one designed to remember useful details about you across future conversations. In the described attack chain, a logged-in user clicks a malicious link, the page fires a cross-site request that rides on the user's existing ChatGPT authentication, and hidden instructions get written into ChatGPT's memory without the user ever knowing. Because that memory follows the account, the poisoned instructions persist across every device the account is used on, waiting to resurface in later sessions. LayerX reported the issue to OpenAI under responsible disclosure.

In the same body of testing, LayerX reported that Atlas let 97 of 103 phishing pages through, a 94.2 percent miss rate, against mainstream browsers that blocked roughly half. A browser is supposed to be the thing standing between you and a hostile web. An AI browser, in that test, was worse at the most basic version of that job than the ordinary browser it was meant to replace, while also being trusted to act on your accounts.

OpenAI has kept working on it. The company later shipped a security update after building an automated attacker, an LLM trained with reinforcement learning to hunt for prompt-injection strategies against complex multi-step tasks, which surfaced a new class of attacks the update was meant to blunt with a newly adversarially trained model and tighter safeguards. That is real defensive work. It is also, by OpenAI's own framing, an arms race with no finish line, because the underlying weakness is not a bug to be patched but a property of how these models read the world.

This Is Not Just OpenAI, And That Is The Point

It would be easy to read this as a story about one rushed product. It is not. Brave's researchers framed indirect prompt injection as systemic across AI browsers, Perplexity's Comet included. The United Kingdom's National Cyber Security Centre has warned that prompt injection against generative AI applications may never be totally mitigated. When the vendor, an independent browser maker, a rival's product, and a national cyber agency all describe the same flaw as fundamental and possibly permanent, the responsible conclusion is not to ship the agent anyway and label the risk in a blog post. It is to question whether an AI that cannot distinguish your instructions from an attacker's should be handed your logged-in accounts at all.

This is the throughline that connects browser agents to every other failure we document. The promise of AI is the removal of human effort, the part where you stop checking and start trusting. Prompt injection is the reminder that the human in the loop was not friction, it was the thing that could tell whose instructions were whose. Strip that human out and hand the agent your credentials, and you have not removed a checkpoint. You have removed the only thing on the page capable of asking whether the command it just read came from you or from someone who wanted in.

Tracking how AI tools create real-world risk? Browse every documented problem.