OpenAI’s newly launched Atlas web browser has come under scrutiny after cybersecurity firm NeuralTrust revealed a serious prompt injection vulnerability that allows attackers to “jailbreak” its omnibox by disguising malicious instructions as legitimate-looking URLs. The flaw could enable hackers to manipulate the browser’s AI agent into executing unintended actions.
“The omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent,” NeuralTrust said in a report published Friday. “We’ve identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust ‘user intent’ text, enabling harmful actions.”
Launched last week, Atlas integrates ChatGPT capabilities directly into the browser, offering features like webpage summarization, inline text editing, and agentic assistance. However, NeuralTrust’s findings suggest that its omnibox lacks clear boundaries between trusted user input and untrusted external content, making it susceptible to crafted prompts that appear as URLs.
In the reported attack, a fake link begins with “https” and contains a domain-like string such as “my-wesite.com,” followed by hidden instructions to the AI agent. When a user pastes this URL into Atlas, the input fails URL validation, prompting the browser to interpret it as a natural language command. The agent then executes the embedded instruction—potentially redirecting users to malicious or phishing sites or even deleting files from connected platforms like Google Drive.
Security researcher Martí Jordà noted, “Because omnibox prompts are treated as trusted user input, they may receive fewer checks than content sourced from webpages. The agent may initiate actions unrelated to the purported destination, including visiting attacker-chosen sites or executing tool commands.”
The disclosure comes amid other AI-related browser threats. SquareX Labs recently demonstrated a similar exploit called AI Sidebar Spoofing, in which malicious browser extensions overlay fake AI assistant sidebars to steal data, redirect users, or install malware. These fake interfaces mimic legitimate sidebars in browsers such as Atlas and Perplexity Comet, exploiting JavaScript overlays to deceive users.
Experts warn that prompt injection attacks are becoming a systemic issue for AI-enabled browsers, where hidden instructions—embedded in HTML, CSS, or even images—can hijack agent behavior. OpenAI’s Chief Information Security Officer, Dane Stuckey, acknowledged the challenge, saying, “One emerging risk we are very thoughtfully researching and mitigating is prompt injections… attackers hide malicious instructions in websites, emails, or other sources, to try to trick the agent into behaving in unintended ways.”
Despite red-teaming efforts and new safety guardrails, OpenAI admits prompt injection remains a “frontier, unsolved security problem.” Rival platforms like Perplexity share similar concerns, calling the issue one the entire industry is still grappling with. “Prompt injection represents a fundamental shift in how we must think about security,” the company stated, emphasizing that multi-layered protection and real-time detection are essential to defend users from increasingly sophisticated AI-based attacks.
