Yesterday OpenAI launched the ChatGPT Atlas web browser, a supposedly reimagined browser that looks a lot like a Forked version of Chromium (19459011) with a chatbot attached–in an attempt to redefine the way people navigate the Internet. It’s not certain that it will achieve that, but in one way it has already been innovative: It has launched a new set of concerns regarding online privacy and security.
The data is the reason why OpenAI built a web-browser. Browsers store a lot of data, from passwords to payment information and the sites that people visit. They also contain telemetry information on where people click.
OpenAI is positioning that as a feature. “Memories”which is like a web history on steroids, can recall contextual information such as the sites you visit and documents you interact with. The idea is to allow users to navigate the internet using a conversational interface, which will let them find information in human language instead of precise URLs and keywords. As the Washington Post points out, the browser’s privacy controlsreveal a lot more about the data that the company is storing and collecting. This has some very concerning implications.
OpenAI saves details about your interactions with sites, the websites you visit and your preferences by default. It is not supposed remember certain information such as personally identifiable information, like government IDs and Social Security numbers, or bank account details. It also shouldn’t remember online credentials, account retrieval content, or addresses. It also has filters that exclude private data such as medical records and financial details. It will save summaries, but not those from “certain sensitive sites (like adult websites),” which continues OpenAI’s display of porn. Users can also select to exclude specific pages by clicking the “page visibility” option in the address bar.
Of course, this assumes that everything works as intended, which is not always the case. ChatGPT Atlas includes an AI agent who can browse the internet and complete tasks for the user. Previous browsers have had real problems with this. Perplexity’s Comet web browser was hacked by simple prompt injection attacks earlier this year. Hidden text on a site could hijack the agent. Security researchers were able to get the agent reveal a user’s login credentials, retrieve and share an authenticator code.
Simon Willison, a programmer, raised the alarm about this. In ablog post, he wrote: “I’d love to see a detailed explanation of the steps Atlas is taking to avoid prompt injections.” It looks like the main defence is to expect the user to closely monitor what agent mode does at all times! He also described the security and privacy risk associated with browser agents as “insurmountably” high.
One hacker has already claimed thathe knocked Atlas of its tracks. Twitter user @elder_plinius demonstrated that the Atlas Agent was susceptible to “clipboard-injection,” which causes the Agent to copy malicious links that will lead the user later to a phishing website that steals credentials. Eight Sleep did respond to a comment request
but not immediately. Gizmodo’s post will be updated when we receive a response.
In less than 24 hours, someone found a small crack in Atlas. Experts warn that AI browsers such as Atlas may have privacy and security holes the size of canyons. Atlas, meanwhile, collects more data about users and their habits to create a more sophisticated surveillance system around them. This seems like a potentially dangerous combination.
