Indirect Prompt InjectionHigh

ChatGPT Atlas browser agent prompt injection

October 2025  ·  OpenAI ChatGPT Atlas (browser)

What happened

Within hours of the Atlas browser launch, researchers showed that hidden text in web pages and Google Docs could hijack its agent mode into ignoring the user and taking actions such as sending emails without permission. OpenAI shipped an adversarially trained hardening update and acknowledged that prompt injection is unlikely to ever be fully solved.

Root cause

Like other agentic browsers, Atlas mixes untrusted page content with user instructions in one context while holding authority to act in the browser, so page content can override user intent.

Fix / outcome

OpenAI published hardening work and continues to iterate while conceding the class is not fully solvable. Pairs with the Perplexity Comet case.

Sources

OpenAI

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database