"The browser, which puts OpenAI's blockbuster ChatGPT front and center, features an "agent mode" - currently limited to paying subscribers - that allows it to complete entire tasks, such as booking a flight or purchasing groceries. However, that makes the browser vulnerable to "prompt injection" attacks, allowing hackers to embed hidden messages on the web that force it to carry out harmful instructions. For instance, one researcher tricked the browser into spitting out the words "Trust No AI" instead of generating a summary of a document in Google Docs, as prompted."
"Now, researchers at AI agent security firm NeuralTrust found that even Atlas's "Omnibox," the text box at the top of the browser that can accept either URLs or natural language prompts, is also extremely vulnerable to prompt injection attacks. Unlike previously demonstrated "indirect" prompt injection attacks that embed instructions in webpages, this particular exploit requires the user to copy and paste a poisoned URL into the omnibox - just like you've probably done with countless web addresses."
""We've identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust 'user intent' text, enabling harmful actions," Mart������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"
Atlas places an AI agent and ChatGPT prominently and offers an agent mode that can autonomously complete tasks like booking flights or buying groceries. The omnibox accepts both URLs and natural-language prompts, and malformed or poisoned URLs can be misclassified as user intent rather than web addresses. When the omnibox treats injected content as high-trust prompts, safety checks are reduced and the agent can execute embedded instructions. Attackers can embed harmful commands in disguised URLs that users paste, enabling prompt-injection exploits that manipulate outputs or cause unwanted actions.
Read at Futurism
Unable to calculate read time
Collection
[
|
...
]