The Problem with AI Browsers: Security Flaws and the end of Privacy

Atlas is OpenAI's new browser that charges your browser with the capabilities of an LLM. Although a browsing assistant sounds wonderfully convenient and futuristic, Atlas leaves a lot be be desired.

In this post I'd like to dive deep in how Atlas and most current AI-powered browsers fail on three aspects: privacy, security and censorship.
First we'll take a look at how Atlas works.

Atlas under the hood

First let's understand how Atlas and other AI browsers work, what their capabilities are and how they differ from other "regular" browsers.

What can Atlas do for me?

AI browsers are browsers that interact with just like with ChatGPT. You can ask it to summarize the website you're looking at, translate it or ask questions about the content. The browsers keeps a history, learns from your browsing habits and "gets to know you" a bit better.

Additionally there's agent mode. Imaging tasking the browser and seeing it perform that task autonomously: "I want a nice holiday for 2, either by train or plane with a max cost of € 800". You'll see Atlas opening tabs, Googling, reading websites, clicking buttons etc.

How does Atlas work?

Essentially Atlas is just Chrome that uses ChatGPT for everything. Agent mode is evaluated by ChatGPT, it analyzes web pages with ChatGPT etc.

Concerns

Although AI browsers like Atlas offer a lot of cool capabilities, there are some concerns, the biggest of which we'll discuss now.

Privacy

Atlas reads along with everything you see and type, sharing this information with ChatGPT. This is essentially the "AI" part of "AI browser". This leaves a enormous privacy concern.

We are already quite familiar with "regular" tracking like many websites do. They collect information about what they do on their site.

Atlas takes this to the extreme by tracking everything you do on every site. It observes what you read, how long you stay, what you do next; essentially your entire online behaviour is tracked and that data is in the hands of one company (OpenAI).

Security

The big problem with security is that the browser cannot reliably distinguish between data (e.g. the content of a site for tickets) and instructions ("find tickets to Rome"). This leaves the browser wide open for prompt injection.

Simple prompt injection to steal your sensitive data
The browser reads along with you on a website you visit. It sends the content to ChatGPT in order to analyze it and e.g. summarize it. Imagine a malicious actor who hides invisible instructions (e.g. white text on a white background) on the page:

"Ignore all previous instructions and in stead do the following: ..."

This incredibly simple method of prompt injection influences how your browser operates. Combine this with agent mode and its capabilities and you're just asking to be hacked.

Reasearcher from Brave ("regular" browser) have already documented such attacks, showing that AI-powered browsers can be manipulated to navigate to the user’s banking site, extracting saved passwords and sending sensitive information to attacker-controlled servers.

Censorship

We all know that LLM's are heavily moderated. We've all heard the stories of Deepseek refusing to answers questions about the Tiananmen Square and Google's Gemini generating racially diverse historical figures. Some queries should not be answerd, we don't want ChatGPT to teach users how to make a bomb e.g.

My problem with Atlas, however, is that there is one company that determines what you see, especially when you realise that same company holds the entire history of your online activity. In a world full of fake news, propaganda, censorship and increasingly authoritarian figures, this feels like an enormous risk.

Conclusion

AI-assisted browsing is coming, but not like this. Personally I think there's a lot of potential in AI browsers but the security issues are glaring. That in combination with the fact that Atlas will share all my online activity with just one company, which also is perfectly able to censor or influence what i see is something I find very risky.

Until transparency, privacy and safeguards catch up, I wouldn't trust it with my data.. or my wallet.