ChatGPT Atlas address bar a new avenue for prompt injection, researchers say – SC Media
(Credit: sdx15 – stock.adobe.com)
The browser, which was first released last week and is currently available for macOS, features an address bar, also known as an “omnibox,” that can be used to both visit specific websites by URL and to submit prompts to the ChatGPT large language model (LLM).
NeuralTrust found that a malformed URL could be crafted to include a prompt that is treated as plain text by the browser, passing the prompt on to the LLM.
A malformation, such as an extra space after the first slash following “https:” prevents the browser from recognizing the link as a website to visit. Rather than triggering a web search, as is common when plain text is submitted to a browser’s address bar, ChatGPT Atlas treats plain text as ChatGPT prompts by default. An unsuspecting user could potentially be tricked into copying and pasting a malformed link, believing they will be sent to a legitimate webpage. An attacker could plant the link behind a “copy link” button so that the user might not notice the suspicious text at the end of the link until after it is pasted and submitted.
These prompt injections could potentially be used to instruct ChatGPT to open a new tab to a malicious website such as a phishing site, or to tell ChatGPT to take harmful actions in the user’s integrated applications or logged-in sites like Google Drive, NeuralTrust said.
A user may expect to be sent to one website based on the domain at the start of the URL while ChatGPT opens a tab for a different website hidden at the end of the URL. As an example, the researchers demonstrated that ChatGPT Atlas followed instructions hidden in a malformed link, causing it to automatically open a new tab to the NeuralTrust website.
Since the launches of ChatGPT Atlas and Perplexity’s Comet browser, researchers have explored how attackers may seek to exploit AI browsers as a novel attack surface. Last week, SquareX Labs demonstrated how a malicious browser extension could spoof the AI sidebar feature of Comet and have since replicated the proof-of-concept (PoC) attack on Atlas as well.
Researchers at LayerX also developed a PoC attack called CometJacking, a type of prompt injection that could cause the Comet browser to exfiltrate data from a user’s connected apps.
OpenAI acknowledged potential risks when announcing the Atlas browser, especially regarding its agentic capabilities on logged-in sites and susceptibility to hidden prompt injections. The company noted that Atlas does not allow ChatGPT to run code, download files or install extensions.
The ChatGPT agent also pauses to ensure the user is watching during sensitive actions such as those taken on financial websites, and user can opt to only use agent in logged out mode as well as restrict the sites and apps that ChatGPT has access to in Atlas.
SC Staff
Steve Zurier
Steve Zurier
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.
Related Terms
You can skip this ad in 5 seconds
Copyright © 2025 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.
