Full Report
The newly released OpenAI Atlas web browser has been found to be susceptible to a prompt injection attack where its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to visit. "The omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent," NeuralTrust said in a report published Friday
Analysis Summary
# Vulnerability: Prompt Injection via Omnibox Misinterpretation in OpenAI Atlas Browser
## CVE Details
- CVE ID: Not Provided in Source
- CVSS Score: Not Provided in Source
- CWE: Analogous to CWE-74: Improper Neutralization of Special Elements Used in an Operation (Improper Input Validation for Command Execution/Context Switching)
## Affected Systems
- Products: OpenAI Atlas Web Browser
- Versions: Newly released (Specific version not specified)
- Configurations: Any configuration where the omnibox accepts input interpreted as both a URL and a natural-language command for the embedded AI agent.
## Vulnerability Description
The OpenAI Atlas web browser's omnibox (combined address/search bar) fails to strictly delineate between inputs intended as navigatable URLs and inputs intended as natural-language commands for the integrated AI agent. An attacker can craft a malicious input string that *resembles* a valid URL (e.g., starting with `https:/` and containing a domain-like structure like `my-wesite.com`) but embeds agent instructions immediately following the URL structure. Because this crafted input fails standard URL validation, the browser treats the entire string as "high-trust user intent text" for the AI agent, causing the agent to execute the hidden instruction rather than navigating to a specified site.
## Exploitation
- Status: PoC available (Demonstrated by NeuralTrust report)
- Complexity: Low (Requires crafting a URL-like string containing the command)
- Attack Vector: Adjacent (User must interact with the omnibox)
## Impact
- Confidentiality: High (Potential for executing hidden commands like data deletion from connected apps, e.g., Google Drive)
- Integrity: High (Ability to redirect users to attacker-controlled phishing pages or execute arbitrary agent commands)
- Availability: Medium (Potential for denial of service if harmful commands are executed, though primary impact is integrity/confidentiality)
## Remediation
### Patches
- No specific patch version available in the source material. **Note:** Immediate patching by OpenAI is expected following this public disclosure.
### Workarounds
- Users should remain cautious when entering inputs into the omnibox and treat any ambiguous string, even if URL-like, as potentially executable code by the integrated AI agent until an official patch is applied.
- Avoid pasting complex strings from external sources directly into the browser's omnibox.
## Detection
- **Indicators of Compromise (IOCs):** Monitoring for omnibox inputs that improperly format standard protocols (`https:/` instead of `https://`) followed immediately by non-URL elements and command phrases. Unexpected redirects or tool executions following user input.
- **Detection Methods and Tools:** Security analysis of the browser's input parsing logic to enforce stricter validation boundaries between URL interpretation and agent instruction processing.
## References
- Vendor Advisory: OpenAI (Expected to be released following disclosure)
- Research Report: NeuralTrust report (link defanged: `https[:]//neuraltrust[.]ai/blog/openai-atlas-omnibox-prompt-injection`)
- Relevant News: The Hacker News Article (link defanged: `https[:]//thehackernews[.]com/2025/10/chatgpt-atlas-browser-can-be-tricked-by.html`)