TL;DR: Atlas browser is OpenAI’s new AI-powered web browser, featuring ChatGPT integration for summarising pages, completing tasks and intelligent search.
Security experts have demonstrated serious vulnerabilities, particularly prompt injection attacks where malicious websites can hijack the AI to steal data or manipulate your browser.
Whilst suitable for casual personal browsing, the Atlas browser should not be used for work, banking or any activity involving sensitive information until these fundamental security issues are resolved.
For now, keep a traditional browser for anything confidential and treat Atlas as experimental technology.
Table of Contents
2. The Security Vulnerabilities You Need to Know About
- Prompt Injection: An Unsolved Problem
- Real-World Demonstrations of Attacks
3. What OpenAI Is Doing About It
4. What This Means for Local Businesses in the UK
- What Data Does The Atlas Browser Collect?
- Incognito Mode and Data Retention
- GDPR and Business Use Considerations
5. Should You Use Atlas Browser?
- When You Absolutely Shouldn’t Use Atlas
- When Atlas Might Be Appropriate
- Best Practices If You Choose to Use Atlas
OpenAI launched ChatGPT Atlas on 21 October 2025, a new web browser with ChatGPT integrated directly into the browsing experience. Within days, the browser became one of tech’s most talked-about releases, but also one of its most controversial.
Currently available only on macOS, with Windows, iOS and Android versions planned for future release, Atlas represents OpenAI’s ambitious attempt to challenge Google Chrome’s dominance. However, cybersecurity experts have raised serious concerns about vulnerabilities that could put your data at risk, plus the addition of AI hallucinations.
This guide explains what Atlas browser actually is, how it works, and critically examines the security issues you need to understand before installing it.
What Is the Atlas Browser?
ChatGPT Atlas is a web browser built on the Chromium engine (the same technology that powers Google Chrome) with ChatGPT integrated at its core. Rather than treating AI as an add-on feature, Atlas makes ChatGPT your primary interface for navigating the web.
The browser includes several key features:
Ask ChatGPT sidebar. On any webpage, you can open a ChatGPT sidebar to summarise, analyse or handle tasks directly in the same window. There’s no need to copy and paste between tabs.
Browser memories. When enabled, ChatGPT remembers key details from your web browsing to improve chat responses and offer smarter suggestions, such as retrieving a webpage you read previously. These memories are private to your account and you can view, archive or clear them at any time.
Agent mode. For Plus, Pro and Business users, agent mode allows ChatGPT to complete end-to-end tasks autonomously, such as researching meal plans, creating shopping lists and adding items to a cart. You remain in control and can pause or interrupt at any time.
Integrated search. Rather than traditional search results, you can ask ChatGPT a question or enter a URL to see faster, more useful results in one place, with options to explore search links, images, videos and news.
The Security Vulnerabilities You Need to Know About
Within 24 hours of Atlas’s launch, security researchers demonstrated serious flaws. Cybersecurity experts warn that Atlas and other AI browsers pose new security risks, particularly regarding “prompt injection” attacks where malicious instructions are given to an AI system to make it behave in unintended ways.
Prompt Injection: An Unsolved Problem
OpenAI’s Chief Information Security Officer, Dane Stuckey, publicly acknowledged that:
“prompt injection remains a frontier, unsolved security problem”
This isn’t a minor bug that can be patched. It’s a fundamental challenge affecting all AI browsers.
Prompt injection vulnerability is a common flaw amongst browsers that incorporate AI agents like Perplexity’s Comet and Fellou. The problem occurs when AI models treat content from webpages as if it were part of their instructed task, allowing attackers to hide malicious instructions in websites, emails or other sources.
Real-World Demonstrations of Attacks
Security researchers have successfully demonstrated multiple attack vectors:
- An ethical hacker discovered that Atlas is susceptible to clipboard injection attacks, where malicious code hidden in webpages can inject your clipboard with phishing links when the AI agent navigates a site and clicks buttons without your knowledge.
- Another security researcher successfully used a Google Docs-based prompt injection to change the browser mode from dark to light, demonstrating how carefully crafted content can trick ChatGPT Atlas into following attacker-controlled instructions.
- When an AI browser processes a webpage, it cannot distinguish your legitimate instructions from malicious commands hidden in the content, making traditional security boundaries like same-origin policy ineffective when AI agents act with your full privileges.
What OpenAI Is Doing About It
OpenAI states it has implemented several measures, including extensive red-teaming, novel model training techniques to reward the model for ignoring malicious instructions, overlapping guardrails and safety measures, plus new systems to detect and block attacks.
The company has also built specific protections:
In agent mode, ChatGPT cannot run code in the browser, download files or install extensions, cannot access other apps on your computer or file system, cannot read or write ChatGPT memories, and cannot access saved passwords or use autofill data.
Atlas offers a “logged out mode” which allows the agent to browse and act without having access to credentials for logged-in sessions, and a “watch mode” to help keep users aware and in control when the agent operates on sensitive sites OpenAI.
However, Stuckey himself cautioned that “adversaries will spend significant time and resources to find ways to make ChatGPT agent fall for these attacks”
What This Means for Local Businesses in the UK
Beyond security vulnerabilities, Atlas raises significant privacy questions, particularly for UK users who must consider GDPR compliance.
What Data Does The Atlas Browser Collect?
Atlas combines web browsing data with chatbot data, putting more highly personal information in one place than traditional browsers. The browser can access everything you’re logged into, including email, customer relationship management systems, banking portals and internal tools.
By default, OpenAI states it won’t use the content you browse to train its models, but you can opt in by enabling “include web browsing” in your Atlas data controls settings.
However, if you’ve enabled training for chats in your ChatGPT account, training will also be enabled for chats in Atlas, including website content you’ve attached when using the Ask ChatGPT sidebar and details from browser memories.
Incognito Mode and Data Retention
Atlas offers an incognito mode where browsing isn’t linked to your ChatGPT account and isn’t saved in your browser history. However, this doesn’t mean data isn’t processed by OpenAI’s servers during your session.
GDPR and Business Use Considerations
For UK businesses considering Atlas, GDPR compliance is a critical concern. When you use Atlas with customer data, you’re potentially sending that information to OpenAI’s servers for processing.
Key questions to consider:
- Have your customers consented to their data being processed by OpenAI’s AI systems?
- Does your data processing agreement with OpenAI meet GDPR requirements?
- Are you fulfilling your obligations as a data controller when employee browsing habits expose customer information to the AI?
Enterprise and education customer data is segregated from training by default under OpenAI’s business terms, but the act of processing sensitive data through an AI browser that could be vulnerable to attacks remains a risk that organisations must assess carefully.
Should You Use Atlas Browser?
The answer depends on what you’re using it for and your risk tolerance.
When You Absolutely Shouldn’t Use Atlas
Do not use Atlas for:
- Accessing banking or financial services
- Handling customer data or confidential business information
- Any work involving NDAs or compliance requirements
- Browsing whilst logged into sensitive accounts
Brave’s security researchers recommend separating normal browsing from agentic browsing, using AI browsers only when beneficial or necessary, and keeping sessions handling sensitive information like banking and communications in your regular browser.
When Atlas Might Be Appropriate
Atlas could be suitable for:
- General research on non-sensitive topics
- Personal browsing that doesn’t involve confidential information
- Experimenting with AI-assisted web navigation in a sandboxed environment
- Learning how agentic AI browsers work (with appropriate precautions)
Best Practices If You Choose to Use Atlas
If you decide to try Atlas, follow these precautions:
- Disable agent mode entirely unless you specifically need it for a particular task, and watch what it does rather than letting it operate autonomously.
- Use logged out mode for any browsing where the AI doesn’t need access to your credentials.
- Keep browser memories turned off unless you have a specific reason to enable them, and regularly review and clear any memories that are created.
- Never use Atlas for work-related browsing where you’re accessing company systems, customer data or confidential information.
- Maintain a separate traditional browser for all sensitive activities, and only use Atlas for general-purpose browsing where data exposure wouldn’t be harmful.
Where possible, set up the AI to require explicit user confirmation before carrying out autonomous tasks
The Broader Context: Are AI Browsers Ready?
British programmer Simon Willison stated:
“The security and privacy risks involved here still feel insurmountably high to me. I certainly won’t be trusting any of these products until a bunch of security researchers have given them a very thorough beating”.
Brave Software’s research confirms:
“Indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers”.
This affects not just Atlas, but competitors like Perplexity’s Comet and other AI browsers.
The technology is genuinely innovative. Having ChatGPT understand your browsing context and assist with tasks could transform how we use the web.
However, the security foundations aren’t yet solid enough for handling sensitive information.
Final Verdict: OpenAI – Chat GPT Atlas Browser
Atlas browser represents an ambitious vision for AI-integrated web browsing, but the execution reveals fundamental security challenges that remain unsolved. OpenAI acknowledges these problems and is working to address them, but this is cutting-edge technology being deployed before all the risks are fully understood.
For personal, non-sensitive browsing, Atlas offers an interesting glimpse into the future of AI-assisted web navigation. For anything involving confidential data, financial information or business use, the risks currently outweigh the benefits.
If you do install Atlas, treat it as an experimental technology. Keep sensitive activities in your traditional browser, disable agent mode unless specifically needed, and remain cautious about which sites you visit whilst ChatGPT is watching.
The promise of AI browsers is real, but we’re not quite there yet.
The technology will improve, and many of these vulnerabilities may eventually be resolved. For now, the sensible approach is to wait, watch how the security landscape develops, and let others be the guinea pigs for this fascinating but risky new category of software.
Sources:
- TechCrunch: OpenAI wants to power your browser
- Bloomberg: Atlas browser won’t hurt Google
- Platformer: Five ways to think about Atlas
- Android Authority: Atlas security flaws
- The Washington Post: ChatGPT Atlas: What data it collects
- Axios: ChatGPT launches Atlas
- OpenAI: Atlas launch
- Engadget: ChatGPT no longer has to preserve all of its data
- Cursor IDE: Atlas browser – A complete guide
