By Vikrant Rana, Anuradha Gandhi and Prateek Chandgothia
Introduction:
On October 21, 2025, OpenAI unveiled its AI-powered web browser name ‘Atlas’. Similar to Perplexity’s Comet browser which was launched in early October, Atlas is OpenAI’s offering of Artificial Intelligence (hereinafter referred to as ‘AI’) powered browser which allows users to browse the internet through prompts instead of clicking on links.[1] While this is considered as the next big step in AI innovation, major cybersecurity firms like NeuralTrust and LayerX have tested and discovered that the AI browser is highly vulnerable to prompt injection attacks (hereinafter referred to as ‘PIA’).
Traditional Browsers v. AI Powered Browser
Over the years, the market surrounding web browsers has been controlled by certain major players such as Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox. The competition between these platforms centered largely on speed of browsing and variety of extensions available. However, with the advent of AI powered browsers such as Comet and Atlas, the competition criteria is shifting towards the smartness of AI-powered co-pilots for navigating daily online life.
AI powered browsers aim to operate as a personal agent rather than a mere search portal for users. They can assist users in performing multistep tasks with a single instruction. This essentially eliminates the need for users to sit in front of their computer screens as the AI takes its time to complete the assigned task.
For example, the user can ask the AI agent, integrated in the browser, to find cheapest and shortest flights from New Delhi to Bangalore on 29th October 2025 and book the window seat. The AI agent will open tabs automatically, click links, browse through the flight listings, compare the prices and the time duration of the flights, search for availability of windows seat and then go ahead to book the tickets. It may, however prompt the user wherever user input is necessary. If there is no window seats available in any of the flights, the AI agent may ask the user if she wants to book an aisle seat. This way the user flow shall differ significantly in AI powered browsers when compared to traditional browser.[2]
Are AI-Powered Browsers safe?
While most cyber experts acknowledge that AI powered browsers with integrated Agentic Models would soon be the primary method of interacting with the internet, they flag concerns regarding it still being in a fairly nascent stage when it comes to issues like data privacy and might be a cyber-security disaster waiting to happen.[3]
What are Prompt Injection Attacks?
PIA is a new cyber security threat emerging in cases of exploiting generative AI models. It is done by altering or manipulating a user input into the AI model to gain access to confidential information of the user, inject false content to manipulate output generation and disrupting the model’s intended functions.
- Direct PIAs – This involves hackers injecting malicious prompts directly into the AI model which over-rides the developer set system instructions and compels the model into bypassing moderation and security policies.
- Indirect PIAs – This involves the hacker publishing the malicious prompts in external data sources which the AI model accesses to generate an output in response of the User’s prompt.[4]
Assessing the Atlas Browser’s vulnerability to PIAs
As per the reports published by LayerX and NeuralTrust, Atlas browser has a cybersecurity vulnerability which allows cyber threat actors to inject malicious instructions in ChatGPT’s Memory which can then be used to execute remote codes. This can result in system infection, granting unauthorized privileges or deployment of malware.
- Exploiting Authentication Cookie/ Token: Hackers can exploit ChatGPT’s memory by tricking a logged‑in user into clicking a malicious link, which secretly sends a request that looks legitimate because the user is already authenticated. This hidden request plants harmful instructions into ChatGPT’s memory without the user noticing. Since ChatGPT’s memory persists across devices, browsers, and sessions, those instructions can later be triggered when the user interacts with ChatGPT, potentially allowing attackers to run malicious code and spread risks from personal use into workplace systems.
While this threat can affect ChatGPT users on all browsers, this is particularly more dangerous on Atlas Browser as the User is by default always logged into CHATGPT. When a user is already logged in to ChatGPT, their browser holds an ‘authentication cookie/token’ proving their identity. If they click on a malicious link, it can open a compromised site that secretly sends a fake request to ChatGPT using that key.This request plants hidden instructions into ChatGPT’s memory without the user realizing it. Later, when the user interacts with ChatGPT, those poisoned memories can be triggered, allowing attackers to run harmful code and potentially take control of systems or data.[5]
- Vulnerability in the Omnibox: Researchers at NeuralTrust discovered a serious flaw in Atlas’s “Omnibox,” the bar where users type web addresses or commands. Normally, prompt injection attacks hide malicious instructions inside webpages, but this new method disguises harmful commands inside what looks like a normal URL.
When a user pastes such a “poisoned” URL into the Omnibox, Atlas may fail to recognize it as a web address and instead treat the entire text as a trusted command from the user. Atlas gives high trust to anything typed directly into the Omnibox, these hidden instructions can bypass safety checks and override user intent, potentially forcing the agent to take dangerous actions.In extreme cases, attackers could exploit this to access authenticated services like Google Drive and even mass delete files, making the vulnerability especially risky.[6]
OpenAI’s Response to the Vulnerability
OpenAI’s chief information security officer (hereinafter referred to as ‘CISO’), Dane Stuckey, acknowledged that prompt injection attacks, where hidden instructions in websites, emails, or other content trick AI agents into misbehaving, are a major emerging risk. He explained that while OpenAI has taken steps such as red‑teaming, new training methods, layered guardrails, and detection systems to reduce the threat, prompt injection remains an unsolved problem that determined attackers will continue to exploit.[7]
(To read about the responsibilities of CISO under the Indian legal Framework, refer to https://ssrana.in/articles/differences-in-the-roles-and-responsibilities-of-dpo-and-ciso/ )
Risk Mitigation Strategies
Developers can reduce the risk of prompt injection attacks by applying several best practices.
- Developers should sanitize inputs by stripping out suspicious characters and filtering unexpected formats.
- They can fragment prompts so that trusted instructions are kept separate from dynamic user content, ideally using structured data instead of raw text.
- Context isolation is also key. Keeping user‑generated input apart from system control prompts prevents attackers from blending malicious instructions into the model’s logic.
- On the output side, validation layers can review or rate the model’s responses and enforce guardrails through extra logic before results are delivered.
- Beyond these technical measures, organizations should regularly run red‑team and adversarial testing exercises to simulate real‑world attacks.
Prompt Injection Attacks under India’s IT Framework?
The Indian Legal Frameworks do not explicitly mention PIA as a criminal offense or civil wrong. However, certain provisions can be interpreted and applied to such cases. The Information Technology Act, 2000 deals with cases of tampering with computer resources, violation of privacy, and data or identity theft and recognizes these as criminal offenses. These provisions can be utilized to prosecute a cyber-threat actor who has indulged in PIAs as it prescribes up to three years of imprisonment and INR 5 Lakh fine.[8]
On March 26, 2025, CERT-In issued an advisory on ‘Best Practices against Vulnerabilities while using Generative AI Solutions’.[9] In the advisory, CERT-In discussing prompt injection as a mechanism of exploiting the vulnerabilities in AI design, training, and interaction mechanisms. It defined prompt injection as an input manipulation attack in which malicious instructions or hidden commands are introduced into an AI system which enable malicious actors to hijack the AI model’s output and jailbreak the AI system, effectively bypass its safeguards, such as content filters that restrict its functionality.
(To read more on the best practices recommended by CERT-In, refer to – https://ssrana.in/articles/cert-in-issues-advisory-against-use-of-ai-models/ )
Additionally, in case of a material data breach through a prompt injection attack, OpenAI shall mandatorily be required to report such breach to the Data Protection Board under the Digital Personal Data Protection Act, 2023.[10]
(To read more on the Data Breach Reporting in India, refer to – https://ssrana.in/articles/data-breach-reporting-in-india-legal-obligations-and-best-practices/ )
Who is Responsible for Risk Mitigation and Redressal?
The responsibly and onus to prevent and redress anticipated losses to users from these vulnerabilities lie with the AI system deployers, in this case OpenAI. Global Frameworks such as the European Union AI Act and the United States’ National Institute of Standards and Technology Cyber Security Framework have attributed liability depending on the control of an entity over the AI model during the stage of the lifecycle in which a particular cyber security incident has occurred.[11]
While these instances have been limited to cases of AI Bias and errors, the same principle is likely to be adopted in cases of cyber incidents of Prompt Injection attacks and unauthorized disclosure of Personal and confidential information.
In certain cases, General Purpose AI models are acquired from AI Deployment Company but are trained natively by another company before its integration in their workflow. In such cases regulators have attributed liability on the Company which was actively involved in training the AI model to be liable of AI incidents.[12]
[4] https://www.ibm.com/think/topics/prompt-injection
[5] https://layerxsecurity.com/blog/layerx-identifies-vulnerability-in-new-chatgpt-atlas-browser/
[6] https://futurism.com/artificial-intelligence/serious-new-hack-openai-ai-browser
[7] https://www.theregister.com/2025/10/22/openai_defends_atlas_as_prompt/
[8] https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
[9] https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2025-0013
[10] https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf