A new security flaw has been discovered in the recently released OpenAI Atlas browser. The issue was reported by cybersecurity firm NeuralTrust, which identified a prompt injection technique capable of compromising the browser’s built-in AI assistant.
The attack targets the Atlas omnibox, which serves as both an address bar and a search bar. It was revealed that the omnibox can mistakenly interpret a crafted string as a user command rather than a web address. Because of this, malicious inputs disguised as URLs can be used to manipulate the browser’s AI system.
According to the report, a fake URL beginning with “https://my-wesite.com” can be followed by hidden natural language instructions. When entered, Atlas fails to validate it as a proper URL and treats it as a prompt. This causes the AI to execute the embedded command, redirecting users to an attacker-controlled website or performing unauthorized actions.
Experts warned that this flaw could lead to phishing attacks, data theft, and remote exploitation. In a practical example, attackers could embed such fake links behind “Copy link” buttons, luring users to malicious pages or triggering harmful actions like deleting files from connected accounts such as Google Drive.
Security researcher Martí Jordà noted that omnibox prompts are treated as trusted input, meaning they may bypass several security checks applied to regular website content. This lack of isolation between user intent and page content created an opening for attackers to abuse the AI assistant’s trust model.
Alongside this finding, SquareX Labs disclosed another related threat called AI Sidebar Spoofing. The technique allows attackers to overlay a fake AI sidebar inside browsers such as Atlas and Perplexity Comet using malicious extensions. When users type prompts into the spoofed sidebar, the injected code can exfiltrate data, install malware, or redirect users to harmful websites.
Researchers described prompt injection as a growing security challenge for AI browsers, including OpenAI Atlas, Perplexity Comet, and Opera Neon. These attacks can be hidden inside web pages using white text, HTML comments, or even faint instructions embedded in images, which are read by AI systems through optical character recognition.
OpenAI’s Chief Information Security Officer, Dane Stuckey, acknowledged the issue in a public statement. He confirmed that the company has conducted extensive red-teaming, added safety guardrails, and trained models to ignore malicious instructions. However, he also admitted that prompt injection remains an unresolved frontier problem in AI security.
Perplexity and Brave have also confirmed that their own browsers face similar risks. Both companies have adopted multi-layered protection systems, including real-time detection, reinforcement filters, and transparency controls to defend against prompt-based attacks.
Experts agree that prompt injection represents a new phase in cybersecurity. The blending of artificial intelligence and web browsing has created new opportunities for productivity—but also new risks that demand constant monitoring and innovation.
Leave A Comment