This week, OpenAI releases ChatGPT atlasthe company's first web browser with artificial intelligence. Atlas lets you surf the web like any other browser, but as you'd expect, it comes with ChatGPT integration. You can log into your account and connect to the assistant through the sidebar menu, which will remember not only past conversations, but also your browsing history. Like other AI browsers viz. Comet of Perplexity– the browser has an “agent mode” that can perform actions on your behalf. You can have him order you food through DoorDash or buy your plane tickets on Kayak instead of doing it yourself.
While this may seem useful to ChatGPT fans, I have trouble recommending the browser to people given the security vulnerabilities that AI browsers currently face. Any browser with agent capabilities is vulnerable to hint injection attacks: attackers can infuse websites with hidden malicious hints that the AI interprets as if they were written by the user. Thus, he can take action on behalf of hackerfor example, opening a financial site or obtaining root rights via email. It seems like a big risk to simply hand over some basic internet tasks to an AI bot.
But rapid injections are not the only vulnerability Atlas is currently facing. According to a new discovery, the browser may also compromise the user's clipboard.
How the Atlas Clipboard Injection Vulnerability Works
Android authority spotted post on X ethical hacker known as Pliny the Liberator. According to Pliny, ChatGPT Atlas is vulnerable to clipboard injection, a type of attack that allows an attacker to gain access to your computer's clipboard. The idea is this: an attacker can add a “copy to clipboard” function to a button on their website. When you click the button, a malicious script runs in the background, allowing an attacker to access your clipboard and add whatever they want to it. This could be the URL of a website designed to install malware on your devices; It may be the URL of a site posing as a financial site. Either way, you don't know that your clipboard has been hacked, so you can open a new tab and paste what you want. think was the last thing you copied when you fell into the trap.
The particular risk of ChatGPT Atlas lies in its agent functions: in agent mode, Atlas can independently press such a malicious button without even knowing it. At one point you asked Atlas to order you lunch; the next moment the browser accidentally configured you to hack.
What are your thoughts so far?
Pliny says OpenAI has apparently trained Atlas to recognize quick injections, but the core “copy clipboard” function is hidden from the AI's eyes. This is a neat trick: a bot can hover over a button without knowing there's anything wrong with it, so it “clicks” it without raising any red flags.
For those who frequently copy and paste items throughout the day, this can be quite dangerous. You can copy something into one application and then ask ChatGPT Atlas to do something on your behalf. But, without knowing it, the browser clicks a malicious link that adds something to the clipboard. You then paste the data into the browser window, thinking the original item is still copied, but instead you are taken to a website that claims your banking session has expired and you need to log in. If you're quickly multitasking, you might be able to “sign in” without a second thought, handing over your banking credentials and 2FA codes without even realizing it.
These are hypotheses. There are currently no reported cases of this type of malicious activity affecting ChatGPT Atlas. At the same time, ChatGPT Atlas is two days old. In my opinion, the risk here is not worth it, especially since I have no problem using the Internet on my own.
