Exploring the Risks of ChatGPT’s Atlas Browser

When OpenAI launched ChatGPT Agent it was the merger of two previous offerings: Deep Research - a multi-step reasoning model capable of accomplishing complex tasks, and Operator - an agent that can browse the web. But something was a bit off. Yes, it could browse and execute operations on behalf of the user, but on a remotely hosted browser. Now comes the next phase of evolution, plugging ChatGPT directly into the user’s browser - ChatGPT Atlas.
This is OpenAI’s agentic browser similar to the likes of Perplexity Comet, Dia and others. But integrating an LLM into the browser doesn’t come without risk - the browser security model has been cultivated over decades and supercharging it with an AI agent might fundamentally break some security boundaries. Join us as we explore the features and risks introduced by Atlas.

Atlas Notable Features

Agent Mode

When opening Atlas we face the following main page:

A chatbox which is also available via a sidepanel on any web page you browse. By default, Atlas will use ChatGPT to answer the user’s questions while taking into account the page’s contents. Meaning you can ask Atlas questions about the email you’re writing, the product you’re shopping, or the article you’re reading. All directly from your browser. But unless explicitly enabled Atlas will not be able to directly interact and take actions within the browser itself. To enable it, one must explicitly opt-in to “Agent mode”.

This allows the backend AI model to use the browser as a tool to complete tasks: browse the internet, fill out forms, send emails in Gmail or set up meetings in Google Calendar.

This is a conscious choice by OpenAI, making sure that the user always knows when the agent is in-play. A decision that comes in contrast to other agentic browsers like Perplexity’s Comet which leaves it to the model to implicitly make the decision while the user just sees it through the browser’s reasoning.

This is a security oriented decision, that while not fully protecting the user is showing great awareness to the risks that are inherent to AI controlled browsers.

Logged In/Out

Once “Agent mode” is enabled, another option appears:

Agent mode has 2 modes of operation -

1. Logged In - which uses the user’s credentials on web pages they’ve signed-in on. For instance, if browsing to Gmail, the agent can read and send emails on behalf of the user.

2. Logged Out - the agent browses the web and performs actions without being signed in to anything. In this case, browsing to gmail.com just lands on the Login page and the user has to explicitly log in.

This has significant security implications that we’ll get to in a bit, and is yet another security conscious choice by OpenAI. As you probably know, giving AI the ability to act on your behalf can be risky business.

Additionally once a mode is selected for the first time it becomes the default option used by Atlas whenever “Agent mode” is activated. Meaning that an unaware user who user selected Logged In will probably run most of not all their Agent interactions in the mentioned mode. And as we learned again and again, in security, defaults matter.

Memories

browsing through the settings, we saw the following section under “Personalization”:

Turns out Atlas can use 2 types of memories:

1. Saved memories from the ChatGPT chat - these can be stored while using the regular ChatGPT from any device.

2. Browser memories - memories stored while using Atlas.

Memory is a powerful tool that can be abused to manipulate agents. It can be used to persist an attack as demonstrated brilliantly here. We saw Atlas is no different with a twist - you can influence its actions not only from browser memories but also from memories created in other ChatGPT chat sessions. 

ChatGPT Atlas Risks

Agent Mode Enabled  

When Agent mode is enabled, ChatGPT takes over the browser and uses it to perform the task it was handed. This is where the risk of prompt injection is at its most dangerous, allowing attackers to remotely control the user’s browser for their own malicious intentions. Including, directing Atlas to take harmful actions, exfiltrate data, navigate to malicious sites and more. When Agent mode is off, Atlas functions like a regular browser with added ChatGPT assistance. And while the risk of prompt injection is still present even as Atlas only reads from a webpage, its impact is significantly reduced when compared to scenarios where Agent mode is activated.

Allowing opt-in is a good change, transforming Atlas from a “shadow AI browser” to a conscious tool in the hands of the user. Only available when explicitly selected.
But this also has a flip side - more responsibility in the hands of the user means more attention they have to pay for their browsers actions. And although reducing the risk, as we’ve learned in the last 30 years, trusting users to take security oriented decisions never ends well.

It’s a great thing we didn’t see an “Always on” button for this (yet). 

Logged In vs. logged out

Ok, so we’re sure we need Agent mode to perform tasks. But it makes a huge difference if we’re logged in to our accounts or not. Being logged on our mailing service, calendar, social media, etc., just increases the attack surface for an injection. Every email we receive, calendar invites or posts we direct Atlas to see and enter the model’s context is a potential source of trouble. 

This also includes increased blast radius in the case of a successful attack. Whatever you can do, the prompt-injected Atlas browser can do for you. Or when hijacked by an attacker, everything you can do, the attacker can do on your behalf. This includes sending emails on your behalf, posting on social media, accessing your google drive and exfiltrating sensitive information from various accounts. And as demonstrated before on another agentic browser, even draining your bank account.

ChatGPT Memory Attachment

Since ChatGPT’s memories are connected to Atlas, if for instance, the user gets memory-injected while on a completely different and normal ChatGPT session (i.e. vanilla ChatGPT), the same memory injection can be then triggered to hijack their Atlas session and carry out any of the attacks mentioned above. To test this we did the following:

1. Opened ChatGPT and injected a memory:

2. On Atlas, we checked that it was indeed accessible:

3. Then when asking it a benign question it responds with:

As demonstrated multiple times in the past, memory injection can be lethal, enabling persistence and even full C&C control of the infected AI in case of a successful attack. Moreover, what we just demonstrated above opens a way to move laterally between different OpenAI products. Your memory, poisoned during a completely normal ChatGPT session, can be weaponized to take control of your Atlas browser when the opportunity strikes. Increasing the impact a malicious memory can have significantly. 

There are multiple ways to poison ChatGPTs memory.
Including: 

• Sharing malicious instructions through connected services and connectors (Google Drive, Gmail, Slack, Dropbox, etc.). Requiring no user interaction at all

• Embedding prompt injections inside untrusted files uploaded to ChatGPT by the user themselves (PDFs, DOCX, spreadsheets, slides)

These straightforward ways to get into your regular ChatGPT’s memory just got much more impactful.

Exfiltration

In other AI agent platforms, exfiltration is a hurdle an attacker needs to overcome. Methods include link unfurling, Markdown rendering, or exfiltrating via connectors like sending emails, to name a few. In the browser this is no longer an issue since it's designed to send requests literally anywhere. Just set up a proxy listening on inbound requests on an attacker controlled domain and Atlas will happily navigate there for you and there’s no way of stopping it. You can’t whitelist the entire web. It’s probably safe to assume that if the agent got compromised, the data is out. And if you’re logged in to anywhere where sensitive data might be stored, you should be aware of the implications.

Prompt Injection

This is the glue to all the other parts. It’s the constant threat that hovers over AI agents in general and agentic browsers in particular. And as the world is starting to understand, not a problem that is going away anytime soon.

It’s a good sign to see that OpenAI’s officials treat it as such and have built efforts to minimize it, but it’s by no means solved or mitigated. In the case of Atlas, the user needs to always keep in mind: what am I exposing the Agent to? What can it do if compromised? True for AI agents everywhere, even more so for AI-powered browsers.

Usage Advice

Now that we know what we know about the risks that come with OpenAI’s Atlas, here are some recommendations to help you stay safe:

1. Use Agent mode only for tasks that require it. It’s best to use Atlas as a browser with decades of baked security testing built into Chromium behind it. Turn its superpowers on only on demand. It’s your risk, own it.

2. Avoid browsing “Logged In” whenever possible. The risk is still there when you’re logged out, but as we’ve seen when you’re logged the possible impact increases by orders of magnitude. It’s a default that you can choose. Choose wisely

3. Monitor your memories. This was true before Atlas, but with the shared memory feature a malicious memory can now do much more damage. Be on the lookout for malicious memories in all of your ChatGPT products.

4. Monitor Atlas carefully. As browsers are able to take more sophisticated actions than just the common AI chatbot, a more careful approach is needed. Any action Atlas takes can be influenced by malicious inputs coming from anywhere over the internet. Without proper monitoring of these actions, and an understanding of when the behaviour is out of line using it will always be accompanied by all the risk we mentioned above.

Epilogue

Atlas represents another step in AI-assisted browsing, but like any powerful tool, it comes with considerations. The combination of agent mode, login state, memory features, and the potential for data exfiltration or prompt injection creates a unique risk landscape that differs from traditional browsers. These aren't reasons to avoid Atlas, but they do warrant a thoughtful approach. The key is understanding what each feature does and making intentional choices about when to use them. But as with any Agentic AI system, it doesn’t come risk free and you shouldn't trust it blindly.