OpenAI says AI browsers may always be vulnerable to prompt injection attacks

Summary

Even as OpenAI works to harden its Atlas AI browser against cyberattacks, the company admits that prompt injections, a type of attack that manipulates AI agents to follow malicious instructions often hidden in web pages or emails, is a risk that’s not going away any time soon — raising questions about how safely AI agents can operate on the open web. “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved’,” OpenAI wrote in a Monday blog post detailing how the firm is beefing up Atlas’s armor to combat the unceasing attacks. The company conceded that ‘agent mode’ in ChatGPT Atlas “expands the security threat surface.” OpenAI launched its ChatGPT Atlas browser in October, and security researchers rushed to publish their demos, showing it was possible to write a few words in Google Docs that were capable of changing the underlying browser’s behavior. That same day, Brave published a blog post explaining that indirect prompt injection is a systematic challenge for AI-powered browsers, including Perplexity’s Comet. OpenAI isn’t alone in recognizing that prompt-based injections aren’t going away. The U.K.’s National Cyber Security Centre earlier this month warned that prompt injection attacks against generative AI applications “may never be totally mitigated,” putting websites at risk of falling victim to data breaches. The U.K. government agency advised cyber professionals to reduce the risk and impact of prompt injections, rather than think the attacks can be “stopped.” For OpenAI’s part, the company said: “We view prompt injection as a long-term AI security challenge, and we’ll need to continuously strengthen our defenses against it.” The company’s answer to this Sisyphean task? A proactive, rapid-response cycle that the firm says is showing early promise in helping discover novel attack strategies internally before they are exploited “in the wild.” That’s not entirely different from what rivals like Anthropic and Goo...