Quit Emailing Yourself

OpenAI says AI browsers may always be vulnerable to prompt injection attacks | TechCrunch

4 min read | Saved February 14, 2026 | Copied!

openai 🤖 security 🤖 prompt-injection 🤖 ai-browsers 🤖 risk 🤖

Do you care about this?

OpenAI is addressing the ongoing threat of prompt injection attacks on its Atlas AI browser, acknowledging that these vulnerabilities may never be fully resolved. The company is using a reinforcement learning-based automated attacker to identify and simulate potential exploits, while also advising users on how to minimize their risk. Security experts emphasize the need for layered defenses and caution about the inherent risks of using AI-powered browsers.

If you do, here's more

OpenAI is grappling with the persistent threat of prompt injection attacks on its Atlas AI browser, despite efforts to enhance security. These attacks manipulate AI agents into executing harmful instructions hidden within web content. OpenAI acknowledges that fully eliminating this risk is unlikely, similar to the challenges faced in online scams. The company's recent blog post explains that the use of "agent mode" in ChatGPT Atlas has broadened the security vulnerabilities.

Since the launch of Atlas in October, security researchers demonstrated the ability to alter the browser’s behavior by embedding malicious prompts in documents. OpenAI is not alone in this struggle; the U.K. National Cyber Security Centre recently warned that such attacks may never be completely mitigated. To combat these threats, OpenAI is employing a rapid-response strategy to identify new attack vectors before they can be exploited in the real world. This includes the development of a reinforcement learning-based automated attacker designed to simulate hacking attempts and uncover weaknesses faster than human attackers can.

OpenAI's approach involves testing its defenses against sophisticated, multi-step attacks. In one demonstration, the automated attacker crafted a malicious email that caused the AI to send an unintended resignation message. The updated security protocols in "agent mode" managed to flag this attempt post-update. While OpenAI is working with third parties to bolster Atlas's defenses, a spokesperson did not confirm whether these efforts have led to a notable decline in successful prompt injections.

Experts like Rami McCarthy emphasize the challenges of balancing autonomy and access in AI systems. Agentic browsers, while powerful, expose users to significant risks due to their extensive access to sensitive information. McCarthy suggests that for many users, the risks associated with agentic browsers currently outweigh their benefits. OpenAI recommends limiting access and ensuring user confirmation before actions are taken to minimize exposure to potential attacks.

Questions about this article

No questions yet.