Serious vulnerabilities found in OpenAI’s newly released Atlas browser
A browser is something we use multiple times a day, making it a perfect touchpoint for technology companies seeking world domination — or at least aiming to get ahead of the competition. The modalities of this program, whose list of applications continues to grow seemingly without end, imply the submission of all kinds of data through it. This makes profiling customers — and we are all customers to big tech — an easy task. These profiles are then used to target ads, which is the most benign way such data can be exploited.
Thus, it is unsurprising that companies like Google built their own browsers. Nor is it surprising that the current leaders of the AI race want to add such a product to their portfolios. There are already around a dozen AI-driven browsers, or those claiming to be, from Perplexity’s Comet and Dia to Opera Neon (stay tuned; we’ll publish an overview article about AI-based browsers soon).
On October 21, 2025, OpenAI joined the race with Atlas. So far, only a macOS version is available to the public. The browser is explicitly “agentic” — capable of performing meaningful actions on behalf of the user — which, as it turns out, is both a blessing and a curse.
Key vulnerabilities in OpenAI’s Atlas (as of October 2025)
Prompt injection attacks. Like other AI-based browsers, ChatGPT Atlas is vulnerable to indirect prompt injection attacks. These involve malicious instructions hidden inside a webpage or embedded text. The prompts are designed to make the AI agent perform actions beneficial to wrongdoers, from sharing sensitive information to causing financial loss in one way or another.
Clipboard injection exploit. This is particularly interesting: the AI can be manipulated into copying a link to the clipboard, which the user may later paste into the browser’s address bar. Needless to say, the link leads to a phishing site.
UI redressing and full-screen spoofing (CVE-2025-7021). This vulnerability has already received a CVE (Common Vulnerabilities and Exposures) number. The browser may fail to correctly handle the fullscreen API and UI rendering, making it unable to detect when a site overlays phishing content. Its controls may also fail to respond to spoofing.
A deeper issue lies in the browser’s core design: real-time integration with OpenAI’s large language model means Atlas sends at least some data to the company’s servers, which requires certain internal memory that could be accessed or exploited.
The situation is evolving; stay tuned for further reporting and guidelines on how to mitigate the inherent flaws in AI-based browsers.
