{"id":6270,"date":"2025-12-23T16:16:36","date_gmt":"2025-12-23T16:16:36","guid":{"rendered":"https:\/\/microvibenews.com\/?p=6270"},"modified":"2025-12-23T16:16:36","modified_gmt":"2025-12-23T16:16:36","slug":"openai-says-its-ai-browser-may-never-be-fully-secure-from-hackers","status":"publish","type":"post","link":"https:\/\/microvibenews.com\/?p=6270","title":{"rendered":"OpenAI says its AI browser may never be fully secure from hackers"},"content":{"rendered":"

<\/p>\n

OpenAI has said that some attack methods against AI browsers like ChatGPT Atlas are likely here to stay, raising questions about whether AI agents can ever safely operate across the open web.\u00a0<\/p>\n

The main issue is a type of attack called \u201cprompt injection,\u201d where hackers hide malicious instructions in websites, documents, or emails that can trick the AI agent into doing something harmful. For example, an attacker could embed hidden commands in a webpage\u2014perhaps in text that is invisible to the human eye but looks legitimate to an AI\u2014that override a user\u2019s instructions and tell an agent to share a user\u2019s emails, or drain someone\u2019s bank account.<\/p>\n

Following the launch of OpenAI\u2019s ChatGPT Atlas browser in October, security researchers were quick to demonstrate how a few words hidden in a Google Doc or clipboard link could manipulate the AI agent\u2019s behavior. Cybersecurity firm Brave, also published findings showing that indirect prompt injection is a systematic challenge affecting multiple AI-powered browsers, including Perplexity\u2019s Comet.<\/p>\n

\n

\u201cPrompt injection, much like scams and social engineering on the web, is unlikely to ever be fully \u2018solved,’\u201d OpenAI wrote in a blog post Monday, adding that \u201cagent mode\u201d in ChatGPT Atlas \u201cexpands the security threat surface.\u201d<\/p>\n

\u201cWe\u2019re optimistic that a proactive, highly responsive rapid response loop can continue to materially reduce real-world risk over time,\u201d the company said.<\/p>\n

Fighting AI with AI<\/strong><\/h2>\n

OpenAI\u2019s approach to the problem is to use an AI-powered attacker of its own\u2014essentially a bot trained through reinforcement learning to act like a hacker seeking ways to sneak malicious instructions to AI agents. The bot can test attacks in simulation, observe how the target AI would respond, then refine its approach and try again repeatedly.<\/p>\n

\u201cOur [reinforcement learning]-trained attacker can steer an agent into executing sophisticated, long-horizon harmful workflows that unfold over tens (or even hundreds) of steps,\u201d OpenAI wrote. \u201cWe also observed novel attack strategies that did not appear in our human red teaming campaign or external reports.\u201d<\/p>\n

However, some cybersecurity experts are skeptical that OpenAI\u2019s approach can address the fundamental problem.\u00a0<\/p>\n

\u201cWhat concerns me is that we\u2019re trying to retrofit one of the most security-sensitive pieces of consumer software with a technology that\u2019s still probabilistic, opaque, and easy to steer in subtle ways,\u201d Charlie Eriksen, a security researcher at Aikido Security, told Fortune<\/em>. <\/p>\n

\u201cRed-teaming and AI-based vulnerability hunting can catch obvious failures, but they don\u2019t change the underlying dynamic. Until we have much clearer boundaries around what these systems are allowed to do and whose instructions they should listen to, it\u2019s reasonable to be skeptical that the tradeoff makes sense for everyday users right now,\u201d he said. \u201cI think prompt injection will remain a long-term problem \u2026 You could even argue that this is a feature, not a bug.\u201d<\/p>\n

A cat-and-mouse game<\/strong><\/h2>\n

Security researchers also previously told Fortune <\/em>that while a lot of cybersecurity risks were essentially a continuous cat-and-mouse game, the deep access that AI agents need\u2014such as users\u2019 passwords and permission to take actions on a user\u2019s behalf\u2014posed such a vulnerable threat opportunity it was unclear if their advantages were worth the risk.\u00a0<\/p>\n

George Chalhoub, assistant professor at UCL Interaction Centre, said that the risk is severe because prompt injection \u201ccollapses the boundary between the data and the instructions,\u201d potentially turning an AI agent \u201cfrom a helpful tool to a potential attack vector against the user\u201d that could extract emails, steal personal data, or access passwords.<\/p>\n

\u201cThat\u2019s what makes AI browsers fundamentally risky,\u201d Eriksen said. \u201cWe\u2019re delegating authority to a system that wasn\u2019t designed with strong isolation or a clear permission model. Traditional browsers treat the web as untrusted by default. Agentic browsers blur that line by allowing content to shape behavior, not just be displayed.\u201d<\/p>\n

The U.K.\u2019s National Cyber Security Centre has also warned that prompt injection attacks against generative AI systems are a long?term issue that may never be fully eliminated. Instead of assuming these attacks can be completely stopped, the agency advises security teams to design systems so that the damage from a successful prompt injection is limited, and to focus on reducing both the likelihood and impact of data exposure or other harmful outcomes.<\/p>\n

OpenAI recommends users give agents specific instructions rather than providing broad access with vague directions like \u201ctake whatever action is needed.\u201d The company also said Atlas is trained to get user confirmation before sending messages or making payments. <\/p>\n

\u201cWide latitude makes it easier for hidden or malicious content to influence the agent, even when safeguards are in place,\u201d OpenAI said in the blogpost.<\/p>\n<\/div>\n

#OpenAI #browser #fully #secure #hackers<\/p>\n","protected":false},"excerpt":{"rendered":"

OpenAI has said that some atta… <\/p>\n","protected":false},"author":1,"featured_media":6271,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[979,5539,5538,768,1978,3210,703,1031,441],"_links":{"self":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/6270"}],"collection":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6270"}],"version-history":[{"count":0,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/6270\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/media\/6271"}],"wp:attachment":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}