OpenAI says prompt injection may never be \u2018solved\u2019 for browser agents like Atlas | CyberScoop<\/title> <meta name=\"description\" content=\"OpenAI says prompt injection attacks can hijack browser-based AI agents like ChatGPT Atlas, prompting a security update after internal testing found new multi-step exploits.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/openai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"OpenAI says prompt injection may never be \u2018solved\u2019 for browser agents like Atlas\"> <meta property=\"og:description\" content=\"OpenAI says prompt injection attacks can hijack browser-based AI agents like ChatGPT Atlas, prompting a security update after internal testing found new multi-step exploits.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/openai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-12-30T15:32:33+00:00\"> <meta property=\"article:modified_time\" content=\"2025-12-30T15:32:35+00:00\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1765327628g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1763439630g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87276\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87276\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopenai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fopenai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87276 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/openai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \">\n<div class=\"single-article__header-content\" readability=\"31.665441176471\">  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87276\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"454\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas.jpg?resize=640%2C454&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg 5004w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=300,213 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=768,545 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=1024,727 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=1536,1090 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=2048,1453 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=600,426 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=237,168 237w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=475,337 475w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=951,675 951w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-2.jpg?resize=1188,843 1188w\" sizes=\"(max-width: 951px) 100vw, 951px\"><figcaption> Open AI CEO Sam Altman speaks during Snowflake Summit 2025 at Moscone Center on June 02, 2025 in San Francisco, California.(Photo by Justin Sullivan\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"42.702762840719\"><body readability=\"86.318587746625\"><\/p>\n<p>OpenAI is warning that prompt injection, a technique that hides malicious instructions inside ordinary online content, is becoming a central security risk for AI agents designed to operate inside a web browser and carry out tasks for users.<\/p>\n<p>The company said <a href=\"https:\/\/openai.com\/index\/hardening-atlas-against-prompt-injection\/\">it recently shipped a security update<\/a> for ChatGPT Atlas after internal automated red-teaming uncovered what it described as a new class of prompt-injection attacks. The update included a newly adversarially trained model along with strengthened safeguards around it, OpenAI said.<\/p>\n<p>OpenAI\u2019s description of Atlas emphasizes that, in agent mode, the browser agent views webpages and uses clicks and keystrokes \u201cjust as you would,\u201d letting it work across routine workflows using the same context and data a person would have. That convenience also raises risk. A tool with access to email, documents and web services can become a higher-value target than a chatbot that only answers questions.<\/p>\n<p>\u201cAs the browser agent helps you get more done, it also becomes a higher-value target of adversarial attacks,\u201d the company wrote in a blog post. \u201cThis makes AI security especially important. Long before we launched ChatGPT Atlas, we\u2019ve been continuously building and hardening defenses against emerging threats that specifically target this new \u2018agent in the browser\u2019 paradigm. Prompt injection\u2060 is one of the most significant risks we actively defend against to help ensure ChatGPT Atlas can operate securely on your behalf.\u201d <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>To find weaknesses before they appear outside the company, OpenAI said it built an automated attacker using large language models and trained it with reinforcement learning. The goal was to discover prompt-injection strategies that could push a browser agent into carrying out complex harmful workflows that unfold over many steps, rather than simpler failures such as generating a particular string of text or triggering a single unintended tool call.<\/p>\n<p>OpenAI detailed in the blog post that its automated attacker can iterate on injections by sending them to a simulator that runs a \u201ccounterfactual rollout\u201d of how the target agent would behave if it encountered the malicious content. The simulator returns a full trace of the victim agent\u2019s reasoning and actions, which the attacker uses as feedback to refine the attack through multiple rounds before settling on a final version. <\/p>\n<p>OpenAI said having internal access to the agent\u2019s reasoning gives it an edge that could help it stay ahead of attackers.<\/p>\n<p>A demonstration described by the company shows how <a href=\"https:\/\/cyberscoop.com\/tag\/prompt-injection\/\">prompt injection<\/a> could surface during ordinary work. In the scenario, the automated attacker plants a malicious email in a user\u2019s inbox containing instructions directing the agent to send a resignation letter to the user\u2019s boss. When the user later asks the agent to draft an out-of-office reply, the agent encounters the malicious email during the workflow, treats the injected prompt as authoritative, and sends the resignation message instead of writing the requested out-of-office note.<\/p>\n<p>While hypothetical, the example illustrates how letting an agent handle tasks changes the nature of online risk. Content that would traditionally attempt to persuade a person to act is reframed as content that tries to command the agent already empowered to act.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>OpenAI is not alone in treating prompt injection as a persistent problem. The U.K. National Cyber Security Centre <a href=\"https:\/\/cyberscoop.com\/uk-warns-ai-prompt-injection-unfixable-security-flaw\/\">warned earlier this month<\/a> that prompt-injection attacks against generative AI applications may never be fully mitigated, advising organizations to focus on reducing risk and limiting impact.<\/p>\n<p>The company\u2019s attention to prompt injection is also arriving as it seeks to fill a senior \u201cHead of Preparedness\u201d role intended to study and plan for emerging AI-related risks, including in cybersecurity. <\/p>\n<p><a href=\"https:\/\/x.com\/sama\/status\/2004939524216910323\">In a post on X<\/a>, CEO Sam Altman said AI models are starting to present \u201creal challenges,\u201d citing potential impacts on mental health and systems that are becoming capable enough in computer security to find critical vulnerabilities. OpenAI announced a preparedness team in 2023 to examine risks ranging from immediate threats, such as phishing, to more speculative catastrophic scenarios. Since then, leadership changes and departures among safety-focused staff have drawn scrutiny. <\/p>\n<p>\u201cWe have a strong foundation of measuring growing capabilities, but we are entering a world where we need more nuanced understanding and measurement of how those capabilities could be abused, and how we can limit those downsides both in our products and in the world, in a way that lets us all enjoy the tremendous benefits,\u201d Altman wrote. \u201cThese questions are hard and there is little precedent; a lot of ideas that sound good have some real edge cases.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9774696707106\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/12\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/openai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenAI says prompt injection may never be \u2018solved\u2019 for browser<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,5698,384,385,78,564,4664,256],"tags":[236,5699,388,389,86,565,4667,262],"class_list":["post-8226","post","type-post","status-publish","format-standard","hentry","category-ai","category-ai-browser","category-artificial-intelligence-ai","category-chatgpt","category-cybersecurity","category-openai","category-prompt-injection","category-research","tag-ai","tag-ai-browser","tag-artificial-intelligence-ai","tag-chatgpt","tag-cybersecurity","tag-openai","tag-prompt-injection","tag-research"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai-browser\/\" rel=\"category tag\">AI browser<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/chatgpt\/\" rel=\"category tag\">ChatGPT<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/openai\/\" rel=\"category tag\">OpenAI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/prompt-injection\/\" rel=\"category tag\">prompt injection<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a>","tag_info":"Research","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8226"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8226\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8226,"date":"2025-12-30T09:32:33","date_gmt":"2025-12-30T15:32:33","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87276"},"modified":"2025-12-30T09:32:33","modified_gmt":"2025-12-30T15:32:33","slug":"openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/12\/30\/openai-says-prompt-injection-may-never-be-solved-for-browser-agents-like-atlas\/","title":{"rendered":"OpenAI says prompt injection may never be \u2018solved\u2019 for browser agents like Atlas"},"content":{"rendered":"