A significant security flaw has been identified in the newly released OpenAI Atlas web browser. According to a report from artificial intelligence security company NeuralTrust, the browser is susceptible to a prompt injection attack. The vulnerability allows a malicious prompt, disguised as a standard URL, to be entered into the browser’s omnibox to execute hidden commands.

Last week, OpenAI launched Atlas as a web browser integrated with ChatGPT capabilities designed to assist users with tasks like web page summarization, inline text editing, and agentic functions. However, this integration has introduced a novel attack vector. The core of the issue lies within the browser’s omnibox, which serves as both a traditional address bar and a natural-language command interface for the AI agent.

Omnibox Jailbreak Technique Explained

The research, published by NeuralTrust on Friday, details how the Atlas browser’s omnibox can be jailbroken. “The omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent,” NeuralTrust stated in its report. The security firm discovered a technique that exploits this dual functionality.

Attackers can craft a malicious instruction that mimics the structure of a URL. When a user inputs this disguised string, the Atlas browser fails to recognize it as a potentially harmful command. Instead, the browser’s AI component processes the input as a trusted instruction from the user, leading to unintended actions.

Exploiting ‘User Intent’ Trust

The attack takes advantage of the browser’s lack of strict boundaries between trusted user input and untrusted content. NeuralTrust’s report explained, “We’ve identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust ‘user intent’ text, enabling harmful actions.” This exploitation of the browser’s trust model is central to the vulnerability, turning a seemingly harmless action, like navigating to a web address, into the execution of a hidden command without the user’s full awareness.