ChatGPT AI Browser Has a Serious Security Vulnerability
This week, OpenAI released ChatGPT Atlas , the company’s first AI-powered web browser. Atlas lets you browse the web like any other browser, but as expected, it integrates with ChatGPT. You can sign in to your account and invoke the assistant via the sidebar. The assistant will remember not only previous conversations but also your browsing history. Like other AI-powered browsers, notably Perplexity Comet , the browser supports “agent mode,” which can perform actions on your behalf. You can ask it to order food through DoorDash or buy plane tickets through Kayak, instead of doing it yourself.
While this may seem useful to ChatGPT fans, I found it difficult to recommend this browser given the security vulnerabilities currently facing AI-powered browsers. Any browser with agent-based functionality is vulnerable to hint injection attacks: attackers can insert hidden, malicious hints into websites that AI interprets as user-written. This allows it to perform actions on the attacker’s behalf, such as opening financial websites or viewing your email. It seems that outsourcing some basic internet tasks to AI is a significant risk.
However, hint injection isn’t the only vulnerability Atlas is currently facing. According to new research, the browser can also compromise the user’s clipboard.
How the Atlas Clipboard Injection Vulnerability Works
Android Authority discovered a post by an ethical hacker known as Pliny the Liberator on Platform X. According to Pliny, ChatGPT Atlas is vulnerable to clipboard injection—a type of attack that allows an attacker to access your computer’s clipboard. The idea is this: an attacker could add a “copy to clipboard” feature to a button on their website. When you click the button, a malicious script runs in the background, allowing the attacker to access your clipboard and add anything they want to it. Perhaps it’s the URL of a website designed to install malware on your devices; perhaps it’s the URL of a site masquerading as a financial website. Either way, you’re unaware that your clipboard has been compromised, so you might open a new tab and paste what you think was the last text you copied, thus falling into a trap.
A particular risk associated with ChatGPT Atlas lies in its agent functionality: in agent mode, Atlas can independently press such a malicious button without even noticing you. One moment, you ask Atlas to order you lunch, and the next, your browser accidentally exposes you to hacking.
Pliny claims that OpenAI has apparently trained Atlas to recognize hint injections, but the core “clipboard copy” function is hidden from the AI. It’s a clever trick: the bot can hover over a button, unaware that anything is wrong, and “click” it without triggering any warnings.
For those who frequently copy and paste data throughout the day, this can be quite dangerous. You might copy something in one app and then ask ChatGPT Atlas to do something on your behalf. But without realizing it, your browser is navigating to a malicious link that adds something to your clipboard. You then paste the data into the browser window, thinking the original file is still copied, but instead you’re taken to a website claiming your banking session has expired and you need to log in. If you’re quickly multitasking, you might be mindlessly “logging in,” handing over your banking information and two-factor authentication codes without even realizing it.
These are just hypotheses. There are currently no reported cases of similar malicious activity on ChatGPT Atlas. At the same time, ChatGPT Atlas only appeared two days ago. I don’t think the risk is worth it, especially since I use the internet without any problems myself.