OpenAI’s New Web Browser Carries Serious Security Risks.
OpenAI has officially entered the browser wars. On Tuesday, the company announced Atlas , a new web browser with ChatGPT integration. It’s currently only available for Mac, but I wouldn’t recommend even my Apple friends to jump on it—at least not without understanding all the risks.
Atlas, a web browser powered by artificial intelligence
If you’ve used other AI-powered browsers, such as Perplexity’s Comet , Atlas will feel familiar. In fact, this is likely true of any web browser: Atlas is built on Chromium, the engine that powers browsers like Google Chrome, Microsoft Edge, and Opera. This means Atlas’s core mechanics are fairly standard; there’s nothing revolutionary about tab sorting or the browsing experience itself.
The same applies to some interactions with ChatGPT. As with other AI-powered browsers, ChatGPT is located in the sidebar of the browser window. You can invoke it by clicking the “Ask ChatGPT” button and ask it questions about the content you’re viewing. You can also ask ChatGPT for writing assistance when you type into an open browser field.
Like Comet, Atlas has an agent mode, but it’s built on top of the existing ChatGPT agent . The idea is that you can task Atlas with performing functions on your behalf. So, instead of going to DoorDash and ordering dinner, you can ask Atlas to do it for you. You can even watch Atlas work and see how it considers each decision. OpenAI has other ideas for using Atlas’s agent mode, such as giving the browser a recipe to purchase or asking the bot to review team documents to create a brief.
Deeper integration with ChatGPT is what sets Atlas apart from its competitors. If you regularly use ChatGPT, you’ll likely appreciate the contextual information about your past conversations. For example, if you’ve already asked ChatGPT a question about a topic and are currently researching it in a browser window, you can continue the conversation, trusting that ChatGPT will remember what you’ve already discussed.
Similarly, Atlas will track your browsing history and activity and refer to it in future sessions. Perhaps you’ll open your browser to get personalized recommendations on which sites and topics to explore next. Sound scary? Sure. But if you don’t mind the privacy tradeoff, it could be useful. OpenAI’s announcement suggests asking Atlas to collect all the job postings you viewed last week and compile a summary of industry trends to help you prepare for an interview. If these memories prove too overwhelming, you can disable them in your browser settings. (OpenAI claims that deleting your browsing history also deletes the associated browser memories, and an incognito browser window logs you out of ChatGPT.)
The company offers a “ChatGPT Page Visibility” setting that lets you control whether ChatGPT can see the webpage you’re visiting. If you select “Not Allowed,” you can prevent the bot from seeing your activity, which is certainly a good thing. However, on the other hand, it slightly defeats the purpose of Atlas. If you don’t want ChatGPT to see your activity, you can use a browser without ChatGPT built-in. (The company promises it won’t train ChatGPT based on your browsing activity without your consent, but why would you want to?)
Is Atlas safe to use?
I believe that if a browser’s security is questionable, it’s best not to use it. This applies to Atlas and other AI-powered browsers.
The main problem with browsers that incorporate AI agents is that they are vulnerable to indirect suggestion injection attacks. Brave has conducted extensive research on this topic, particularly with Comet . In short, attackers could potentially hide malicious instructions on websites that AI agents perceive as a normal user request. Since the browser is designed to act on your behalf, these malicious instructions could instruct the AI to do something you definitely don’t want it to do. You might ask Atlas to create a summary of a web page, but since the attacker has hidden a command on the site to perform something related to your email, bank account, or corporate intranet, it will do that instead.
To its credit, OpenAI has compiled a list of security measures to mitigate risks with Atlas. Atlas can’t run code directly in the browser, download files, or install extensions. The browser has no access to other applications on your Mac or its file system. If agent mode requires access to sensitive websites, such as your bank, it will pause to ensure “you’re watching.” Until then, you can use the Atlas agent in unlogged mode, which limits its ability to access sensitive data or perform actions “on your behalf” on websites. But even OpenAI admits that after thousands of hours of testing, its security measures “will not prevent every attack that emerges as AI agents become more popular.” The company says it will patch new vulnerabilities as they are discovered, but if attackers discover them first, they could trick AI agents into doing something terrifying.
For me, the risks far outweigh the benefits right now. I don’t see any particular reason to use a browser bot acting on my behalf, but even if I did, I wouldn’t use it yet. The risk of someone injecting a malicious command into the site and disrupting my AI agent—and my digital life—is too great, especially considering I can easily book tickets or order delivery myself.