Final week, OpenAI unveiled ChatGPT Atlas, an internet browser that guarantees to revolutionise how we work together with the web. The corporate’s CEO, Sam Altman, described it as a “once-a-decade alternative” to rethink how we browse the net.
The promise is compelling: think about a synthetic intelligence (AI) assistant that follows you throughout each web site, remembers your preferences, summarises articles, and handles tedious duties equivalent to reserving flights or ordering groceries in your behalf.
However beneath the shiny advertising lies a extra troubling actuality. Atlas is designed to be “agentic”, in a position to autonomously navigate web sites and take actions in your logged-in accounts. This introduces safety and privateness vulnerabilities that almost all customers are unprepared to handle.
Whereas OpenAI touts innovation, it’s quietly shifting the burden of security onto unsuspecting shoppers who’re being requested to belief an AI with their most delicate digital choices.
What makes agent mode totally different
On the coronary heart of Atlas’s attraction is “agent mode”.
Not like conventional internet browsers the place you manually navigate the web, agent mode permits ChatGPT to function your browser semi-autonomously. For instance, when prompted to “discover a cocktail bar close to you and e book a desk”, it should search, consider choices, and try to make a reservation.
The know-how works by giving ChatGPT entry to your searching context. It will probably see each open tab, work together with types, click on buttons and navigate between pages simply as you’ll.
Mixed with Atlas’s “browser reminiscences” function, which logs web sites you go to and your actions on them, the AI builds an more and more detailed understanding of your digital life.
This contextual consciousness is what allows agent mode to work. But it surely’s additionally what makes it dangerously susceptible.
An ideal storm of safety dangers
The dangers inherent on this design transcend typical browser safety issues.
Think about prompt injection attacks, the place malicious web sites embed hidden instructions that manipulate the AI’s behaviour.
Think about visiting what seems to be a official procuring website. The web page, nonetheless, accommodates invisible directions directing ChatGPT to scrape private knowledge from all open tabs, equivalent to an energetic medical portal or a draft e-mail, after which extract the delicate particulars with out ever needing to entry a password.
Equally, malicious code on one web site may doubtlessly affect the AI’s behaviour throughout a number of tabs. For instance, a script on a procuring website may trick the AI agent into switching to your open banking tab and submitting a switch type.
Atlas’s autofill capabilities and type interplay options can change into assault vectors. That is particularly the case when an AI is making split-second choices about what info to enter and the place to submit it.
The personalisation options compound these dangers. Atlas’s browser reminiscences create complete profiles of your habits: web sites you go to, what you seek for, what you buy, and content material you learn.
Whereas OpenAI promises this knowledge received’t practice its fashions by default, Atlas continues to be storing extra extremely private knowledge in a single place. This consolidated trove of knowledge represents a honeypot for hackers.
Ought to OpenAI’s business model evolve, it may additionally change into a gold mine for extremely focused promoting.
OpenAI says it has tried to guard customers’ safety and has run 1000’s of hours of targeted simulated assaults. It additionally says it has “added safeguards to handle new dangers that may come from entry to logged-in websites and searching historical past whereas taking actions in your behalf”.
Nevertheless, the corporate nonetheless acknowledges “brokers are vulnerable to hidden malicious directions, [which] may result in stealing knowledge from websites you’re logged into or taking actions you didn’t intend”.
A downgrade in browser safety
This marks a significant escalation in browser safety dangers.
For instance, sandboxing is a safety method designed to maintain web sites remoted and stop malicious code from accessing knowledge from different tabs. The fashionable internet is dependent upon this separation.
However in Atlas, the AI agent isn’t malicious code – it’s a trusted consumer with permission to see and act throughout all websites. This undermines the core precept of browser isolation.
And whereas most AI security issues have targeted on the know-how producing inaccurate info, immediate injection is extra harmful. It’s not the AI making a mistake; it’s the AI following a hostile command hidden within the surroundings.
Atlas is particularly susceptible as a result of it offers human-level management to an intelligence layer that may be manipulated by studying a single malicious line of textual content on an untrusted website.
Suppose twice earlier than utilizing
Earlier than agentic searching turns into mainstream, we’d like rigorous third-party safety audits from impartial researchers who can stress-test Atlas’s defenses in opposition to these dangers. We want clearer regulatory frameworks that define liability when AI brokers make errors or get manipulated. And we’d like OpenAI to show, not merely promise, that its safeguards can stand up to decided attackers.
For people who find themselves contemplating downloading Atlas, the recommendation is simple: excessive warning.
In case you do use Atlas, suppose twice earlier than you allow agent mode on web sites the place you deal with delicate info. Deal with browser reminiscences as a safety legal responsibility and disable them except you might have a compelling purpose to share your full searching historical past with an AI. Use Atlas’s incognito mode as your default, and do not forget that each comfort function is concurrently a possible vulnerability.
The way forward for AI-powered searching could certainly be inevitable, however it shouldn’t arrive on the expense of consumer safety. OpenAI’s Atlas asks us to belief that innovation will outpace exploitation. Historical past suggests we shouldn’t be so optimistic.