ReportWire

Tag: chatgpt atlas

  • OpenAI says AI browsers may always be vulnerable to prompt injection attacks | TechCrunch

    [ad_1]

    Even as OpenAI works to harden its Atlas AI browser against cyberattacks, the company admits that prompt injections, a type of attack that manipulates AI agents to follow malicious instructions often hidden in web pages or emails, is a risk that’s not going away anytime soon — raising questions about how safely AI agents can operate on the open web. 

    “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved,’” OpenAI wrote in a Monday blog post detailing how the firm is beefing up Atlas’ armor to combat the unceasing attacks. The company conceded that “agent mode” in ChatGPT Atlas “expands the security threat surface.”

    OpenAI launched its ChatGPT Atlas browser in October, and security researchers rushed to publish their demos, showing it was possible to write a few words in Google Docs that were capable of changing the underlying browser’s behavior. That same day, Brave published a blog post explaining that indirect prompt injection is a systematic challenge for AI-powered browsers, including Perplexity’s Comet

    OpenAI isn’t alone in recognizing that prompt-based injections aren’t going away. The U.K.’s National Cyber Security Centre earlier this month warned that prompt injection attacks against generative AI applications “may never be totally mitigated,” putting websites at risk of falling victim to data breaches. The U.K. government agency advised cyber professionals to reduce the risk and impact of prompt injections, rather than think the attacks can be “stopped.” 

    For OpenAI’s part, the company said: “We view prompt injection as a long-term AI security challenge, and we’ll need to continuously strengthen our defenses against it.”

    The company’s answer to this Sisyphean task? A proactive, rapid-response cycle that the firm says is showing early promise in helping discover novel attack strategies internally before they are exploited “in the wild.” 

    That’s not entirely different from what rivals like Anthropic and Google have been saying: that to fight against the persistent risk of prompt-based attacks, defenses must be layered and continuously stress-tested. Google’s recent work, for example, focuses on architectural and policy-level controls for agentic systems.

    But where OpenAI is taking a different tact is with its “LLM-based automated attacker.” This attacker is basically a bot that OpenAI trained, using reinforcement learning, to play the role of a hacker that looks for ways to sneak malicious instructions to an AI agent.

    The bot can test the attack in simulation before using it for real, and the simulator shows how the target AI would think and what actions it would take if it saw the attack. The bot can then study that response, tweak the attack, and try again and again. That insight into the target AI’s internal reasoning is something outsiders don’t have access to, so, in theory, OpenAI’s bot should be able to find flaws faster than a real-world attacker would. 

    It’s a common tactic in AI safety testing: build an agent to find the edge cases and test against them rapidly in simulation. 

    “Our [reinforcement learning]-trained attacker can steer an agent into executing sophisticated, long-horizon harmful workflows that unfold over tens (or even hundreds) of steps,” wrote OpenAI. “We also observed novel attack strategies that did not appear in our human red teaming campaign or external reports.”

    Image Credits:OpenAI

    In a demo (pictured in part above), OpenAI showed how its automated attacker slipped a malicious email into a user’s inbox. When the AI agent later scanned the inbox, it followed the hidden instructions in the email and sent a resignation message instead of drafting an out-of-office reply. But following the security update, “agent mode” was able to successfully detect the prompt injection attempt and flag it to the user, according to the company. 

    The company says that while prompt injection is hard to secure against in a foolproof way, it’s leaning on large-scale testing and faster patch cycles to harden its systems before they show up in real-world attacks. 

    An OpenAI spokesperson declined to share whether the update to Atlas’ security has resulted in a measurable reduction in successful injections, but says the firm has been working with third parties to harden Atlas against prompt injection since before launch.

    Rami McCarthy, principal security researcher at cybersecurity firm Wiz, says that reinforcement learning is one way to continuously adapt to attacker behavior, but it’s only part of the picture. 

    “A useful way to reason about risk in AI systems is autonomy multiplied by access,” McCarthy told TechCrunch.

    “Agentic browsers tend to sit in a challenging part of that space: moderate autonomy combined with very high access,” said McCarthy. “Many current recommendations reflect that trade-off. Limiting logged-in access primarily reduces exposure, while requiring review of confirmation requests constrains autonomy.”

    Those are two of OpenAI’s recommendations for users to reduce their own risk, and a spokesperson said Atlas is also trained to get user confirmation before sending messages or making payments. OpenAI also suggests that users give agents specific instructions, rather than providing them access to your inbox and telling them to “take whatever action is needed.” 

    “Wide latitude makes it easier for hidden or malicious content to influence the agent, even when safeguards are in place,” per OpenAI.

    While OpenAI says protecting Atlas users against prompt injections is a top priority, McCarthy invites some skepticism as to the return on investment for risk-prone browsers. 

    “For most everyday use cases, agentic browsers don’t yet deliver enough value to justify their current risk profile,” McCarthy told TechCrunch. “The risk is high given their access to sensitive data like email and payment information, even though that access is also what makes them powerful. That balance will evolve, but today the trade-offs are still very real.”

    [ad_2]

    Rebecca Bellan

    Source link

  • ChatGPT’s Browser Bot Seems to Avoid New York Times Links Like a Rat Who Got Electrocuted

    [ad_1]

    AI-powered browsers like ChatGPT Atlas aren’t just browsers with little ChatGPT picture-in-picture boxes off to the side answering questions. They also have “agentic capabilities,” meaning they can theoretically carry out tasks like buying airline tickets and making hotel reservations (Atlas hasn’t exactly gotten rave reviews as a travel agent). But what happens when the little web-crawling bot that does these tasks senses danger?

    The danger we’re talking about is not to the user, but to the browser’s parent company. According to an investigation by Aisvarya Chandrasekar and Klaudia Jaźwińska of the Columbia Journalism Review, when Atlas is in agent mode, running all over the internet gobbling up information for you, it will take great pains to avoid certain sources of information. Some of that shyness appears to be connected to the fact that those sources of information belong to companies that are suing OpenAI.

    These bots have more freedom than normal web crawlers, Chandrasekar and Jaźwińska found. Web crawlers are ancient internet technology, and in ordinary, uncontroversial circumstances, when a crawler encounters instructions to not crawl a page, it simply will not. If you’re using the ChatGPT app, and you ask it to fish specific nuggets of information out of articles that block crawlers, it will most likely obey, and report to you that it can’t do it, because that task relies on crawlers.

    Agentic browser modes, however, use the internet under the pretense of being the you the user, and they “appear in site logs as normal Chrome sessions,” according to Chandrasekar and Jaźwińska (because Atlas is built atop the Google-designed open source Chromium browser). This means they generally can crawl pages that otherwise block automated behavior. Skirting the rules and norms of the internet in this way actually makes some sense, because to do otherwise might prevent you from manually accessing a given site in the Atlas browser, which sounds like overkill.

    But Chandrasekar and Jaźwińska asked Atlas to summarize articles from PCMag and the New York Times, whose parent companies are in active litigation with OpenAI over alleged copyright violations, and it went way out of its way to accomplish this, carving labyrinthine paths around the internet to deliver some version of the requested information. It was like a rat finding food pellets in a maze, knowing that the locations of certain food pellets are electrified.

    In the case of PCMag, it went to social media and other news sites, finding citations of the article, and tweets containing some of the article’s contents. In the case of the New York Times, it “generated a summary based on reporting from four alternative outlets—the Guardian, the Washington Post, Reuters, and the Associated Press.” All of those except Reuters have content or search-related agreements with OpenAI.

    In both cases, Atlas appears to have journeyed far from litigious publications, favoring a safer, more AI-friendly path to the end of its little rat maze.

    [ad_2]

    Mike Pearl

    Source link

  • Who are AI browsers for? | TechCrunch

    [ad_1]

    OpenAI launched an AI-powered web browser called ChatGPT Atlas this week, which makes me wonder: Is it finally time to ditch Safari?

    That news was on our minds as Max Zeff, Sean O’Kane, and I discussed the browser landscape — including some lesser-known alternatives — on the latest episode of the Equity podcast. But it doesn’t sound like any of us will be making a big switch soon.

    For one thing, Sean noted many companies have tried and ultimately failed to unseat the major browsers due to their inability to make money on the browser alone. Of course, that’s less likely to be a problem for OpenAI, with its increasingly massive funding rounds.

    Max, meanwhile, has actually tried out Atlas and other browsers that promise AI agents will do the work for you, and he said there’s a “slight efficiency gain” at best. At other times, you end up watching the agent “click around on a website” — is that something normal users are really crying out for? Plus, there are significant security risks

    Read a preview of our conversation below, edited for length and clarity.

    Anthony: I’m still on Safari, but as far as the search engine, which is tied to browsers, I’ve actually been trying to experiment with non-Google [options,] because I’m just tired of seeing all the genAI stuff at the top of my search results.

    I think also there’s this question of: If these AI browsers take off, what does that mean for the idea of the open web in general? You can still go to web pages, but I don’t think it would be crazy to suggest that a website is just going to become less and less important as more and more of our browsing is controlled by these AI interfaces and chatbots.

    Techcrunch event

    San Francisco
    |
    October 27-29, 2025

    Max: I think that this has been a big idea that people talk about a lot: What does the agentic web look like? And I think it is a fascinating question. People have tried to come up with all these solutions to work toward this future that [they] feel is coming. 

    And I think that there is a certain aspect of it that reminds me of previous tech waves where it’s like, “Okay, but what is the actual experience? What is the value proposition to a consumer of using one of these tools?”

    And it’s just not super compelling today. I’ve tried out ChatGPT Atlas and I’ve tried out Comet and the most generous estimation of them is, it’s a slight efficiency gain. It makes you slightly more efficient.

    But most of the time that I’ve tried these things, you’re slowly watching it click around on a website, doing some task that I would probably never do in the real world. I would have it, like, look up a recipe and add all of the ingredients to Instacart. I’ve never done that. I think all the tech bros always say that example in the videos, and I’m like, “I don’t know if people are doing that that much.”

    This is just this huge gap, in the face of the tech industry right now [saying] “We’re building all these tools for the agentic web,” but why would a normal person use this? And I don’t know.

    Sean: I have not used any of those [AI browsers] but that’s in large part because I’m still very much an old head when it comes to search and browsing in general — a lot of the work that I’m doing involves looking for documents, which just naturally involves looking through different discrete parts of web pages that I’m familiar with, lots of Boolean searches on Google. Maybe I’ll try these one day if Google really does up and kill Boolean search, which it feels like is coming at some point, but it’s not there yet. 

    The thing that is interesting to me about these AI browsers is that we’ve seen other companies try to compete in the browser space and they always lose because it’s just impossible to make money on a browser as a product. And some have tried to charge up front for it, they can kind of get by for a little while, but it’s just ultimately not sustainable in the face of competing against Safari or Chrome or Firefox, for that matter. 

    What’s interesting to me … is you finally have these companies that just have infinite money, so they can ride it out as long as they want, because they’re not actually trying to make money on these things yet. Eventually they probably will, but OpenAI doesn’t need to make money on this thing in the next year or two, they can just have it out there and let it take shape.

    [ad_2]

    Anthony Ha

    Source link