ChatGPT Atlas browser raises security concerns – PPC Land
OpenAI's new Chromium-based browser draws criticism for replicating Perplexity Comet design while vulnerability research exposes risks.
OpenAI launched ChatGPT Atlas on October 21, 2025, introducing an artificial intelligence-powered browser that functions through conversational interfaces. The browser became available globally on macOS, though Windows, iOS, and Android versions are forthcoming according to the company’s announcement during a livestream presentation.
Sam Altman, OpenAI’s CEO, described the product as representing “a rare once a decade opportunity to rethink what a browser can be about.” Ben Goodger, who leads engineering for Atlas, explained that the company “wanted to make sure that Atlas didn’t feel like your old browser just with a chat button that was bolted on.” The browser builds upon Chromium architecture and incorporates three primary features: conversational interaction capabilities across all web pages, memory functionality that tracks user behavior, and an agent mode enabling automated actions.
Subscribe PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
The browser runs on Chromium, the open-source foundation that powers Google Chrome, Microsoft Edge, and other major browsers. Atlas supports Chrome extensions and allows users to import existing bookmarks and settings from their current browsers. The integration preserves familiar navigation elements including tabs and autofill capabilities while positioning ChatGPT as what OpenAI characterizes as “the beating heart” of the browsing experience.
Agent mode represents the most advanced capability within Atlas. According to Justin Rushing, who demonstrated the feature during the launch presentation, the system can execute complex multi-step processes including ordering groceries, creating project management tasks, and handling customer service interactions. “ChatGPT agent is only ever operating on your tabs,” Rushing stated during the demonstration. He emphasized that the agent “can’t execute code on your computer or access other files.”
The memory component tracks user activities across browsing sessions to enable personalized recommendations and automated task completion. Ryan O’Rouke, lead designer for the project, demonstrated how Atlas uses browser memory to search web history and locate documents based on conversational queries. The system generates suggestions on the homepage based on user patterns and predicted tasks.
Follow on Google, Google News, X, LinkedIn, Mastodon, Bluesky, or via RSS
Research published by Brave Software’s security team reveals fundamental security challenges affecting agentic browsers including Perplexity’s Comet. According to research conducted by Artem Chaikin, Senior Mobile Security Engineer at Brave, these browsers fail to maintain clear boundaries between trusted user input and untrusted web content when constructing prompts for language models.
The vulnerabilities enable indirect prompt injection attacks where malicious instructions embedded in websites can manipulate browser AI assistants. Brave’s research demonstrated how attackers can hide instructions using techniques including white text on white backgrounds, HTML comments, or nearly-invisible text within images.
Brave discovered on October 1, 2025, that Perplexity’s Comet browser processes screenshots without distinguishing between visible content and hidden malicious instructions. The vulnerability allows attackers to embed commands using faint light blue text on yellow backgrounds that remain imperceptible to human users but get extracted and executed by the AI assistant.
A separate vulnerability identified on August 20, 2025, affects Fellou browser, where simply asking the AI assistant to navigate to a webpage causes the browser to send the website’s content to the language model without adequate separation between user instructions and page content.
Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.
Brave’s proof-of-concept demonstration showed how a Reddit post containing malicious instructions hidden behind a spoiler tag could compromise user accounts. When users clicked Comet’s “Summarize the current webpage” button, the AI assistant processed the hidden instructions and executed a series of unauthorized actions including navigating to account details pages, extracting email addresses, logging into alternative domains to bypass authentication, accessing Gmail to retrieve one-time passwords, and exfiltrating credentials by posting them as Reddit comments.
According to Shivan Kaul Sahib, VP of Privacy and Security at Brave, “When an AI assistant follows malicious instructions from untrusted webpage content, traditional protections such as same-origin policy or cross-origin resource sharing are all effectively useless.” The AI operates with full user privileges across authenticated sessions, potentially accessing banking accounts, corporate systems, private emails, and cloud storage services.
Atlas operates on the same Chromium codebase that forms the foundation for Comet, Chrome, and Edge browsers. This architectural choice provides immediate compatibility with existing Chrome extensions but raises questions about market concentration. Google maintains approximately 67% browser market share through Chrome according to federal court findings in antitrust cases decided in September 2025.
User comments on OpenAI’s launch video questioned the browser’s originality. One user stated that the demonstration “just feels like it could be a Chrome plugin.” Another observer noted that “Sam realizes that his team just made Chrome with ChatGPT as the home tab.” Multiple commenters drew direct comparisons to Comet, with one writing that the team showed “Atlas is basically a fork of Comet.”
Perplexity launched Comet on July 9, 2025, initially restricting access to subscribers of the company’s $200-per-month Max plan. The browser featured integrated AI search, an assistant capable of automated browsing tasks, and Chrome extension support. Perplexity made Comet freely available on October 2, 2025, ending the limited release after millions joined waitlists during the three-month period.
OpenAI emphasized user control mechanisms during the Atlas presentation. Rushing explained that users decide whether the agent operates while logged into sensitive sites or functions in a logged-out state with minimal access. The browser includes an incognito mode for sessions that users do not want remembered by ChatGPT.
The memory functionality, while optional according to the presentation, tracks comprehensive browsing behavior to power personalized suggestions and enable features like searching web history through conversational queries. Users can view and manage stored memories through settings interfaces and choose whether to enable the feature during onboarding.
PPC Land previously reported on Perplexity’s browser strategy when CEO Aravind Srinivas disclosed data collection plans during an April 2025 podcast interview. Srinivas described intentions to track user habits across the web for “hyper personalized” advertising, drawing comparisons to established tech companies’ data collection practices.
OpenAI limits agent mode availability to Plus and Pro subscribers during the initial release phase. The company implements safeguards including restricting agent operations to active browser tabs rather than allowing system-wide access. Users receive prompts to approve or reject agent actions before execution occurs.
The demonstrations during the launch event showed agent mode completing tasks including adjusting recipe ingredient quantities for different serving sizes, ordering groceries through Instacart, and creating linear project management tasks from Google documents. However, according to reporting from TechCrunch referenced in PPC Land’s analysis of Claude for Chrome, modern browser-using AI agents remain “fairly reliable at offloading simple tasks” while struggling “with more complex problems.”
Brave reported the Perplexity screenshot vulnerability on October 1, 2025, and sent public disclosure notice the following day. The company proceeded with public disclosure of vulnerability details on October 20, 2025.
For the Fellou browser navigation vulnerability, Brave discovered and reported the issue on August 20, 2025, maintaining confidentiality until publishing details on October 20, 2025.
Perplexity acknowledged Brave’s initial report about general prompt injection vulnerabilities on July 27, 2025, and implemented what the company characterized as an initial fix. Brave’s retesting on July 28, 2025, revealed the fix remained incomplete. According to Brave’s August 20, 2025 blog post, “on further testing after this blog post was released, we learned that Perplexity still hasn’t fully mitigated the kind of attack described here.”
The browser landscape increasingly centers on AI integration as multiple companies pursue similar strategies. Anthropic launched Claude for Chrome as a research preview on August 26, 2025, limiting initial access to 1,000 Max plan subscribers. The extension approach differs from standalone browser development pursued by OpenAI and Perplexity.
Browser extensions that automate routine tasks affect user behavior patterns. Tasks previously requiring direct website visits may become invisible to users as AI agents handle transactions autonomously. This shift impacts how websites track user interactions and conversions.
Security considerations become paramount as AI browsers gain capabilities to interact with authenticated sessions. According to Brave’s research, “agentic browsing will be inherently dangerous” until categorical safety improvements emerge across the browser landscape. The company recommends that browsers isolate agentic browsing from regular browsing and initiate agentic actions only when users explicitly invoke them.
The proliferation of agentic browsers raises questions about how organizations should prepare for environments where AI intermediates between platforms and users. Traditional web security assumptions including same-origin policy protections become ineffective when AI assistants operate with full user privileges across domains.
Research shows major UK and US retailers embrace agentic commerce opportunities according to findings published September 16, 2025, by PSE Consulting. The analysis revealed that merchants generally welcome AI agents rather than blocking them, with Amazon standing as the primary exception implementing comprehensive bot restrictions.
Brave disclosed that the company develops agentic browsing capabilities for its own Leo AI assistant while prioritizing security guardrails. According to the vulnerability research publications, Brave examines competing implementations to inform its security architecture.
The company identified several mitigation strategies browsers should implement including distinguishing between user instructions and website content when sending context to backend systems, checking model outputs for alignment with user requests, requiring user interaction for security-sensitive actions, and isolating agentic browsing from regular browsing modes.
Brave emphasized that “powerful agentic capabilities should be isolated from regular browsing tasks, and this difference should be intuitively obvious to the user.” The company characterized this separation as especially important during early development stages while browser vendors work to prevent security and privacy attacks.
Brave processed nearly 20 billion annual queries as of September 30, 2025, while reaching 101 million monthly active users according to data from the company’s public metrics.
The browser announcement occurs as OpenAI faces competitive pressure from multiple directions. The company has reportedly explored browser development since 2024, hiring former Google Chrome team members throughout 2024 and early 2025 according to industry reporting.
Google maintains Chrome’s dominant market position while integrating Gemini AI capabilities throughout 2025. Microsoft continues developing Copilot features within Edge browser architecture. DuckDuckGo announced a comprehensive browser redesign in July 2025 with enhanced AI integration while maintaining privacy-focused positioning.
The Browser Company released Dia in June 2025, offering AI integration features that preceded both Comet and Atlas launches. The competitive landscape suggests that AI-powered browsing represents a strategic priority across major technology companies.
Federal courts addressed Google’s search monopoly through antitrust remedies in September 2025. U.S. District Judge Amit Mehta ruled that Google illegally maintained search monopolies but rejected Department of Justice demands for Chrome browser divestiture. The court instead imposed behavioral remedies including prohibition of exclusive search distribution agreements and mandated data sharing with competitors.
Browser development requires addressing performance metrics including page loading speeds, extension compatibility, and synchronization across devices. AI integration cannot compromise these requirements without losing user adoption according to industry analysis.
The technical implementation of Atlas relies on sending webpage content along with user queries to backend language models. This architecture necessitates robust systems for distinguishing trusted instructions from untrusted content to prevent the indirect prompt injection vulnerabilities that Brave’s research identified.
OpenAI characterized the Atlas launch as “early days for this project” during the presentation. Altman described future development directions including custom instructions that follow users everywhere on the web and proactive information gathering where the agent finds and assembles relevant content without explicit user requests.
The company positions Atlas as a tool for what it terms “vibe lifing” – delegating various personal and professional tasks to the browser agent. This vision requires addressing the fundamental security challenges that current implementations face according to independent security research.
Subscribe PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Subscribe PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Who: OpenAI announced ChatGPT Atlas browser with Sam Altman, Ben Goodger, Adam Fry, Ryan O’Rouke, and Justin Rushing presenting features during the October 21, 2025 livestream. Brave Software’s security researchers Artem Chaikin and Shivan Kaul Sahib conducted vulnerability research affecting Perplexity Comet and Fellou browsers.
What: ChatGPT Atlas represents a Chromium-based browser featuring conversational interface integration, memory functionality tracking user behavior, and agent mode enabling automated task completion. The browser supports Chrome extensions and allows bookmark importing. Concurrent security research revealed indirect prompt injection vulnerabilities in competing agentic browsers including Perplexity Comet and Fellou, where malicious instructions embedded in websites can manipulate AI assistants to exfiltrate credentials and compromise authenticated sessions.
When: OpenAI launched ChatGPT Atlas globally for macOS on October 21, 2025, with Windows, iOS, and Android versions planned. Agent mode availability remains limited to Plus and Pro subscribers during initial release. Brave disclosed vulnerability research on October 20, 2025, following discovery and responsible reporting beginning July 25, 2025 for Perplexity Comet and August 20, 2025 for Fellou browser.
Where: The browser initially launches on macOS worldwide with planned expansion to Windows desktop and mobile platforms. Brave Software, based in San Francisco, conducted security research affecting multiple agentic browser implementations globally. The vulnerabilities affect any users of Perplexity Comet and Fellou browsers regardless of geographic location, particularly impacting users with authenticated sessions to banking, email, and corporate systems.
Why: OpenAI characterizes Atlas as representing “a rare once a decade opportunity to rethink what a browser can be about,” positioning conversational AI as the primary interface for web interaction rather than traditional URL bars and search boxes. The launch responds to competitive pressure from Perplexity’s Comet browser, Anthropic’s Claude for Chrome extension, and other AI integration efforts by Google, Microsoft, and The Browser Company. Security research aims to surface risks early and demonstrate practical defenses before agentic browsers achieve widespread adoption, protecting users from indirect prompt injection attacks that bypass traditional web security mechanisms including same-origin policy and cross-origin resource sharing protections.
