Securely Use ChatGPT Atlas

OpenAI launched ChatGPT Atlas this week, its new AI-powered browser. Like Bruce Bogtrotter from Matilda, an cake AI-powered browser seems delicious at face value, but it comes with side effects worse than an upset tummy. As with all things security, you just have to understand the risks.

What is ChatGPT Atlas?

OpenAI describes ChatGPT Atlas as being able to “unlock the web with ChatGPT by your side,” giving you “instant answers, smarter suggestions, and help with tasks.” Sounds innocent enough, but that whole “tasks” thing…

If you’re thinking agents, then you’re spot on. Atlas can complete tasks for you by interacting with sites for you. This is known as Agent mode. It’s a ChatGPT feature OpenAI released in July. Now it’s even more accessible through the Atlas browser.

Much of our current lives is run through a browser or app. Think of it. Your finances. Your social network. Your entertainment. Your new sources of knowledge. We live in a highly connected world, and the little glass portal in your hand orchestrates so much of it.

Now, think about how you would feel if a stranger stole your unlocked phone. Yikes. If the thought of that makes you happy, then I have no hope for you.

Core Security Risks

There are two primary flavors of risk I see, all rooted in our old friend prompt injection.

Agent Compromise: Prompt injection embedded in websites you browse can manipulate the agent, tricking it into taking actions on your behalf. This has been well tested in AI browsers and is a known weak point. Here are just a few examples:

• Agents buying merchandise from phishing sites

• Agents sending one-time passwords to attackers

The largest problem with agents is that they’re only as useful as the data and tools you give them access to. If you’re not using agents in the Atlas browser, then you’re basically just switching browsers to impress some nerds. If that’s your angle, I won’t judge. Regardless, giving your browser the agency to access all of your data and applications is a slippery slope.

Memory Poisoning: Prompt injection that creates a long-term memory that influences the browser’s behavior moving forward. This is a neat little persistence mechanism that can be combined with other techniques to cause impact. For example, an attacker could use this to append social engineering attempts to the Atlas website summaries, encouraging the user to call a number or email the attacker.

We’re in the wild west of securing AI right now. And while the impacts are still low today, they will not stay that way forever. With early technologies, attackers are still working out the best way to monetize the security weaknesses. With AI-powered browsers, attackers can socially engineer the browser to take control of the agent and wreak havoc. It’s only a matter of time before we start seeing this in the wild.

OpenAI isn’t YOLO’ing the release of this. On their blog post, they called out some of the safeguards they added:

We prioritized safety as we built ChatGPT’s agent capabilities in Atlas, and added safeguards to address new risks that can come from access to logged-in sites and browsing history while taking actions on your behalf, for example:

- It cannot run code in the browser, download files, or install extensions
- It cannot access other apps on your computer or file system
- It will pause to ensure you're watching it take actions on specific sensitive sites such as financial institutions
- You can use agent in logged out mode to limit its access to sensitive data and the risk of it taking actions as you on websites

All of these are great. They’re just not foolproof and won’t stop the majority of attacks that will begin targeting AI browsers.

Paranoid Security Preferences

If you want to lean into your inner nerd and play around with Atlas, just be aware that prompt injection is a serious risk, but you can alleviate some of that risk with these settings and best practices.

Browsing Practices: while not a setting, picking your use cases on when and how you use an AI-powered browser is critical.

1. Avoid sensitive operations. If it were me, I would stay away from any sites that store my sensitive information or could materially impact my life if something bad happened, like my financial sites.

2. Monitor the browser. I get it, this is hard in an age where distractions are everywhere, like the cute golden retriever that’s walking outside my window right now. Just keep an eye on it when responses seem a bit funky or the agent is doing something that’s out of line with what you expect. You can stop the agent at any time.

Data Controls: Accessed in settings under “Data Controls”, this outlines how Atlas manages your information. These settings help limit the data you send to OpenAI.

1. Don’t set ChatGPT Atlas as your default browser. At least not yet…

2. Ensure “Improve the model for everyone” is off. This helps prevent sending your browsing history to OpenAI to train their models.

3. Disable “Help improve browsing & search.” If enabled, this can share technical details and URLs you visited with OpenAI.

Browser Memories: These let ChatGPT remember details from your web browsing history. It can provide more personalized responses and suggestions. This is a personal preference and a classic example of the trade-off between usability and security.

1. Disable “Reference browse memories.” This prevents Atlas from storing memories from your browsing sessions. Note that if you do keep this enabled, you can exclude certain sites from showing up in browser memories and future search results. This option is listed under “ChatGPT page visibility” in the “Web Browsing” preferences.

2. Enable “Summarize web pages on this device.” Web content is not sent to OpenAI and instead uses your local system to summarize websites.

Agent Mode: When you enable Agent mode, you’re given the option to run it in one of two ways:

1. Logged in: this fully impersonates you with all of the sites you’re currently logged into. Your email, your social accounts, if you sign into your bank account…all of it.

2. Logged out: as the name implies, it accesses websites as if you weren’t signed into them, making it the safer option to use by default. The best practice here is to always use “Logged out.” This will prevent Atlas from interacting with websites with your credentials.

Happy browsing.

If you have questions about securing AI, let’s chat.