Security researchers have torn into the week-old Atlas web browser developed by artificial intelligence (AI) company OpenAI, finding vulnerabilities that suggest being an early adopter of the software is a risky proposition.
Browser security vendor LayerX has published research that it said shows that threat actors can inject malicious instructions for Atlas.
These can persistently taint the memories for the browser’s ChatGPT chatbot integration, and execute code remotely, it said.
The attack is done with cross-site request forgery, that tricks users into submitting a malicious request, in this case to give threat actors access to users’ ChatGPT.
“This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware,” LayerX said.
Although LayerX said the vulnerability it discovered affects ChatGPT users on any browser, it is particularly dangerous for OpenAI Atlas users.
LayerX said Atlas does not include any meaningful anti-phishing protections, making users of it up to 90 percent more vulnerable to such attacks than others who run non-AI browsers like Google Chrome.
Testing by LayerX with 103 in-the-wild attacks showed that Atlas let 97 percent of them go through, unlike Microsoft Edge which stopped 53 percent of them, and Google Chrome that prevented 47 percent of threats.
Other agentic AI browsers such as Perplexity.ai’s Comet and Genspark also performed poorly against phishing attacks, LayerX said.
Prior to LayerX, security vendor NeuralTrust discovered that the Atlas “omnibox” can be used for prompt injection, allowing attackers to use specially crafted weblinks containing malicious instructions to bypass safety checks.
OpenAI’s chief information security officer Dan Stuckey admitted that “prompt injection remains a frontier, unresolved security problem” and that attackers will spend time and resources to make the ChatGPT agent to fall for such attacks.
Yesterday we launched ChatGPT Atlas, our new web browser. In Atlas, ChatGPT agent can get things done for you. We’re excited to see how this feature makes work and day-to-day life more efficient and effective for people.
ChatGPT agent is powerful and helpful, and designed to be…
— DANΞ (@cryps1s) October 22, 2025
Atlas is available for Apple’s macOS 14.2 or later operating systems, on Mac computers with M-series processors, and is based on the open source Chromium framework.
While OpenAI said Atlas is “generally available for consumers”, the browser is in beta for business and enterprise customers who are asked to evaluate the software with low-risk data.
As such, OpenAI said Atlas should be out of scope as most enterprise security and compliance features such as Service Organisation Control 2 (SOC 2), role-based access controls, monitoring through security information and event management (SIEM) are not supported as this stage.
When it comes to the agent functionality, OpenAI suggested users review it with their security teams, if the behaviour of autonomous AI introduces new risks for organisations.
OpenAI advised not to use Atlas with regulated, confidential or production data.
The AI company said Atlas does not use business and enterprise customers’ content to train its models, but has not clarified whether or not this is the case for consumers.
