ChatGPT Atlas Creators Call Prompt Injection in AI Agents an Unfixable Threat

OpenAI has acknowledged that modern AI browsers, including ChatGPT Atlas, remain vulnerable to attacks using hidden malicious instructions. The problem, known as 'prompt injection,' is considered a fundamental security challenge for agent systems. Attackers can embed hidden commands into the text of emails, documents, or web pages, and when an AI agent processes such content as part of its task, it may inadvertently execute the attacker's instructions.

Experts note that completely eliminating such threats is impossible. Agent mode, which allows an AI to perform actions in a browser on the user's behalf, significantly expands the potential attack surface.

In response to this finding, OpenAI has released an update for the ChatGPT Atlas browser, which includes a further-trained model and enhanced security mechanisms. The goal is to teach the agent to ignore third-party instructions and strictly follow user directives.

Security experts offer several tips to minimize risks when working with AI agents:

The fight against prompt injection attacks is seen as a prolonged process, similar to combating online fraud. The strategy of OpenAI and other market players is based on multi-layered defense, continuous testing, and rapid updates. The goal is not to "completely solve" the problem, but to constantly increase the cost and complexity of a successful attack for malicious actors, reducing real-world risks to a minimum.