Written by: Robin Kiss, CPTS, EMAPT, BSCP
ChatGPT Atlas vulnerability: new attack in AI-based browsers
AI is increasingly part of browsers. It can read, interpret and perform actions on our behalf. But this convenience can also come with serious risks. Experts at NeuralTrust have now found a vulnerability in ChatGPT Atlas that shows how easily AI autonomy can be abused.
What happened?
ChatGPT Atlas is a new browser where the built-in AI not only collects information, but also acts autonomously. The bug is caused by the possibility to insert a text in the title bar that at first glance looks like a link. In reality, it contains instructions which the browser interprets as if the user had requested it. So the attacker can essentially give commands to the AI remotely.
How does the attack work?
- The attacker creates what appears to be a malformed URL containing commands.
- The user inserts or clicks on it.
- Atlas does not open a new page, but treats the text as an instruction.
- AI acts with the user's privileges, which can cause data loss or compromised access.
This is particularly dangerous because such browsers can:
- fill in the forms,
- manage login processes,
- copy data.
A small mistake can therefore lead to a disproportionate risk.
In a traditional browser, you have to click for something to happen. But an AI-based browser is autonomous, allowing a much faster response without the user's knowledge. If it incorrectly separates instructions from the content being browsed, a single pasted text can trigger a harmful action.
How can you reduce your risks?
- Regularly update your operating system and applications, including your browser and AI.
- Only use AI integration that requires approval for sensitive operations.
- Use a browser or extension that helps you isolate the actions performed by AI.
- Set multi-factor authentication for all accounts that the browser can access.
How to keep your browser up to date?
Google Chrome
- Open Chrome.
- Click on the three dots in the top right corner.
- Choose Help → About Google Chrome (Windows), or Chrome → About Google Chrome (macOS) from the top menu bar.
- If there is an update, it will be installed automatically. Restart the browser at the end of the process.
Mozilla Firefox
- Open Firefox.
- Click on the top right menu icon.
- Choose Help → Firefox Contacts (Windows), or from the top menu bar Firefox → About Firefox (macOS).
- If an update is available, it will be downloaded automatically and installed after a reboot.
Both browsers update automatically, but you can check the current version manually at any time using this step-by-step guide.
Which browser or extension should I use?
If you are using an AI-based browser or AI-agent, you should choose a solution that can limit background operations and separate different web sessions. Currently, the safest approach is to use Firefox with the following add-ons:
- uBlock Origin: blocks malicious script runs and known exploit sources.
- NoScript: prevents untrusted pages from running JavaScript.
- Firefox Multi-Account Containers: keeps sessions separate so AI runs in a separate container and doesn't have access to your logged-in corporate or private accounts.
For Chrome, it is worth using a permission monitoring plugin such as Guardio or WebVet, which monitor and restrict automated actions by AI.
How can you restrict AI access?
It is also worth going through the security settings for the browser and AI separately.
These options may vary from application to application.
Browser settings
- Turn off the browser's automatic form filling feature.
- Use a password manager and do not allow automatic field loading.
- Browse in separate profiles, containers or incognito windows so the AI can't see other sessions.
AI settings
- If your settings allow it, do not allow AI to view or copy passwords, credentials, access codes and tokens.
- If an AI asks for permission to operate on external sites, approve it only if it is really necessary.
Comfort vs. safety
It's important to understand that full access to your session and data is almost essential to provide the functionality offered by AI applications. It can only work for you if it has all the information it needs.
If, for example, you ask them to book accommodation for you and they ask for all your details, you could actually have done the same. However, if you save this data, it could easily fall into the wrong hands in the event of a security incident.
For this reason, using it in complete safety requires a lot of attention and effort.
It's a classic convenience versus security situation: the more secure you make the system, the more cumbersome it becomes to use. Because AI is so attractive precisely because of its convenience features, these two aspirations are fundamentally at odds.
It is reasonable to assume that through the AI application, the manufacturer could potentially access all your browsing and session information.
The question is whether you will vote for this trust and whether you really need this level of comfort.
Don't wait for the attackers to make their move! Get in touch with us, and build a protection system that will keep your organisation safe in the long term. Let's act together against cyber-attacks!
