Security researchers at NeuralTrust have uncovered a critical vulnerability in OpenAI’s Atlas browser that allows attackers to bypass safety measures by disguising malicious instructions as innocent-looking web addresses.
The flaw exploits how the browser’s omnibox interprets user input, potentially enabling harmful actions without proper security checks.
The Omnibox Vulnerability Explained
Atlas features an omnibox that serves dual purposes as both an address bar and a search interface. When users enter text, the system must decide whether the input is a web address to visit or a natural language command for the AI agent to process.
Researchers discovered that specially crafted strings appearing as URLs can trick the browser into treating them as trusted user commands instead of web addresses.
The attack works through deliberate URL malformation. Attackers create strings that look like legitimate web addresses at first glance but contain intentional errors preventing them from being recognized as valid URLs.
When Atlas fails to validate these strings as proper web addresses, it automatically interprets the entire input as a prompt for the AI agent.
Because this input comes through the omnibox, the system treats it as high-trust user intent, bypassing many safety mechanisms that would normally screen for malicious commands.
The vulnerability opens doors to several dangerous exploitation methods. In one scenario, attackers place malformed URL strings behind seemingly harmless “Copy link” buttons on websites.
Unsuspecting users copy and paste these strings into the Atlas omnibox, triggering the AI agent to execute embedded instructions rather than navigating to the expected destination. This technique could redirect victims to phishing sites designed to steal login credentials.
More concerning are destructive commands embedded within these fake URLs. An attacker could craft instructions directing the agent to access Google Drive and delete specific file types.
Since the browser interprets these commands as authentic user requests, the agent might execute file deletions using the victim’s authenticated session without additional confirmation.
NeuralTrust Security Research identified and validated the vulnerability on October 24, 2025, publishing their findings the same day.
The flaw represents a broader security challenge facing agentic browsers, where the line between trusted user input and untrusted external content becomes dangerously blurred.
Security experts recommend several mitigation strategies for agentic browser developers.
These include implementing stricter URL parsing standards that eliminate ambiguity, requiring users to explicitly choose between navigation and command modes, treating omnibox prompts as untrusted by default, and adding confirmation steps before executing cross-site actions.
Developers should also strip natural language directives from URL-like inputs and conduct comprehensive testing with malformed URL payloads.
NeuralTrust continues expanding test coverage for omnibox boundary cases and plans to publish additional attack vectors and mitigation strategies.
Organizations operating agentic browsers should prioritize implementing these defensive measures to protect users from prompt injection attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
