ChatGPT’s Atlas: the innovation forcing us to rethink Web security
OpenAI has just launched Atlas, its new AI browser capable of acting autonomously on the Web. Automated searches, bookings, interactions with websites… The promises are appealing, and the enthusiasm is quite understandable.
But before celebrating this new era of “agentic browsing,” let’s take a step back to examine what security researchers are revealing.
The Achilles heel of AI browsers
Brave’s security team recently published a study that should give us pause. Their research highlights critical vulnerabilities affecting several AI browsers on the market, including Perplexity, Comet, and Fellou.
The scenario is as simple as it is worrying: an attacker can hide malicious instructions in a web page - sometimes in the form of nearly invisible text within an image. When the AI browser processes this page, it interprets these instructions as legitimate commands and can execute them with YOUR authenticated privileges.
When the assistant becomes an attack vector
Imagine: you ask your AI browser to summarize a Reddit post. In the background, hidden instructions on the page could ask the browser to access your emails, check your bank account, or exfiltrate sensitive data. All without you even noticing.
The fundamental problem? These systems do not clearly distinguish between:
- Trusted instructions coming from the user
- Untrusted content coming from visited websites
This confusion breaks the very foundations of Web security, notably the “same-origin policy” principle that has protected us for years.
A necessary reflection, not a rejection
I am not saying we should abandon innovation. AI browsers represent an appealing and potentially very useful evolution of our relationship with the Web. But we must approach this technology with caution.
As the Brave researchers point out: until there are categorical improvements in security, agentic browsing remains “inherently dangerous” and must be treated as such.
What to do in the meantime?
The experts’ recommendations are clear:
- Isolate agentic browsing from regular browsing
- Only activate these features upon explicit request
- Avoid using them when logged into sensitive accounts (banking, professional email, corporate systems)
Personally, I recommend not using these browsers with authenticated accounts; use them only for “public” browsing.
My point of view
Atlas and its competitors represent an exciting direction for AI. But enthusiasm should not make us forget that we are entrusting these systems with an unprecedented level of privileges.
While waiting for robust solutions, a dose of skepticism and caution is not only recommended, it is essential.
Source: “Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers” - Brave Research Team
