OpenAI has recently admitted that AI browsers with agent capabilities have inherent security vulnerabilities in their architecture, and it is currently very difficult to completely eliminate the risk of "prompt injection" attacks. This means that even as security measures continue to improve, this type of attack will remain a long-term technical challenge in the AI field, rather than a short-term "bug" that can be fixed.

image.png

Since OpenAI launched the Atlas AI Browser built into ChatGPT in October of this year, security risks have been under close scrutiny. Researchers found that attackers can manipulate the browser's underlying behavior without the user's knowledge by embedding specific instructions in web pages or documents. Because AI agents have high-level access, such as accessing emails and performing payments, once attacked, they are highly likely to cause sensitive data leaks or accidental operations.

To address this persistent issue, OpenAI is trying a differentiated defense approach. They have developed an "automated attacker" system based on large models. This system uses reinforcement learning technology to simulate hacker behavior for frequent penetration testing of AI agents. By deeply understanding the model's internal reasoning process, this "robotic hacker" can uncover new attack paths that human testers may miss, helping the development team complete patch fixes before real threats occur.

Industry experts point out that the risk of AI browsers lies in the product of their "autonomy" and "access permissions." Currently, manufacturers including Google and Brave are also seeking multi-layered defense strategies. OpenAI advises users to avoid granting AI agents overly broad permissions at this stage, such as requiring manual confirmation for critical actions like sending emails or initiating payments.