Yesterday, OpenAI launched its ChatGPT Atlas browser—a supposedly reimagined web browser that actually looks a lot more like a forked version of Chromium with a chatbot bolted on—in an effort to redefine the way that people navigate the internet. It’s not clear that it’ll accomplish that, but it has been innovative in one way already: It’s launched a whole new set of concerns about online privacy and security.
It’s not too hard to imagine why OpenAI wanted to build a web browser: it’s the data. Browsers contain massive amounts of information, from the sites people visit to their passwords and payment information to telemetry data on where they click.
OpenAI has positioned that as a feature. “Memories” is like your web history on steroids, able to recall contextual information about the sites you visit, documents you interact with, and more. The idea is that users will be able to navigate the web via a conversational interface that can find information described in human language rather than precise URLs or keywords. But, as the Washington Post points out, the browser’s privacy and data controls reveal more about what the company is collecting and storing, and it raises more than a few concerning implications.
Memories are on by default, so OpenAI is saving details about the sites you visit, the way you interact with them, and your preferences right out of the box. It is not supposed to remember certain information, including personally identifiable information like government IDs, Social Security numbers, bank account details, online credentials, account recovery content, and addresses. It also has filters to exclude private data like medical records and financial information. While it keeps summaries of the sites you visit, it won’t save those from “certain sensitive websites (like adult sites),” continuing OpenAI’s ongoing display of porn brain. Users can also choose to individually exclude certain pages by clicking a “page visibility” button in the address bar.
That, of course, assumes everything works the way it is intended—which isn’t always the case. ChatGPT Atlas also includes an AI agent that can browse the web and complete tasks on behalf of the user. Previous browsers have run into real trouble with that. Earlier this year, Perplexity’s Comet browser fell victim to simple prompt injection attacks, in which hidden text on a website could effectively hijack the agent. In a demonstration, security researchers were able to get the agent to reveal a person’s login credentials and retrieve and share an authentication code.
Programmer Simon Willison raised alarm bells about this. In a blog post, he wrote, “I’d like to see a deep explanation of the steps Atlas takes to avoid prompt injection attacks. Right now it looks like the main defense is expecting the user to carefully watch what agent mode is doing at all times!” He also called the security and privacy risks associated with browser agents broadly as seeming “insurmountably high.”
At least one hacker has already claimed to have knocked Atlas off its tracks. Twitter user @elder_plinius showed how the Atlas Agent is susceptible to “clipboard injection,” getting the Agent to copy a malicious link that will later lead the user to a phishing site that steals credentials.
Eight Sleep did not immediately respond to a request for comment. Gizmodo will update this post when we receive a reply.
It took less than 24 hours for someone to find a crack, however small, in Atlas. Experts are warning that there may be canyon-sized privacy and security holes in AI browsers like Atlas. Meanwhile, Atlas collects more information about users and their habits and creates an even more sophisticated surveillance apparatus around them in the name of personalization. Seems like a potentially disastrous combination.
