Final week, OpenAI unveiled ChatGPT Atlas, an internet browser that guarantees to revolutionise how we work together with the web.
The corporate’s CEO, Sam Altman, described it as a “once-a-decade alternative” to rethink how we browse the net.
The promise is compelling: think about a man-made intelligence (AI) assistant that follows you throughout each web site, remembers your preferences, summarises articles, and handles tedious duties akin to reserving flights or ordering groceries in your behalf.
However beneath the shiny advertising lies a extra troubling actuality. Atlas is designed to be “agentic”, capable of autonomously navigate web sites and take actions in your logged-in accounts. This introduces safety and privateness vulnerabilities that almost all customers are unprepared to handle.
Whereas OpenAI touts innovation, it’s quietly shifting the burden of security onto unsuspecting shoppers who’re being requested to belief an AI with their most delicate digital selections.
What makes agent mode completely different
On the coronary heart of Atlas’s attraction is “agent mode”.
Not like conventional internet browsers the place you manually navigate the web, agent mode permits ChatGPT to function your browser semi-autonomously. For instance, when prompted to “discover a cocktail bar close to you and e book a desk”, it’ll search, consider choices, and try to make a reservation.
The expertise works by giving ChatGPT entry to your shopping context. It might see each open tab, work together with types, click on buttons and navigate between pages simply as you’d.
Mixed with Atlas’s “browser reminiscences” function, which logs web sites you go to and your actions on them, the AI builds an more and more detailed understanding of your digital life.
This contextual consciousness is what allows agent mode to work. However it’s additionally what makes it dangerously susceptible.
An ideal storm of safety dangers
The dangers inherent on this design transcend typical browser safety considerations.
Contemplate prompt injection attacks, the place malicious web sites embed hidden instructions that manipulate the AI’s behaviour.
Think about visiting what seems to be a legit purchasing website. The web page, nevertheless, incorporates invisible directions directing ChatGPT to scrape private knowledge from all open tabs, akin to an energetic medical portal or a draft e-mail, after which extract the delicate particulars with out ever needing to entry a password.
Equally, malicious code on one web site may probably affect the AI’s behaviour throughout a number of tabs. For instance, a script on a purchasing website may trick the AI agent into switching to your open banking tab and submitting a switch type.
Atlas’s autofill capabilities and type interplay options can turn into assault vectors. That is particularly the case when an AI is making split-second selections about what data to enter and the place to submit it.
The personalisation options compound these dangers. Atlas’s browser reminiscences create complete profiles of your habits: web sites you go to, what you seek for, what you buy, and content material you learn.
Whereas OpenAI promises this knowledge received’t prepare its fashions by default, Atlas continues to be storing extra extremely private knowledge in a single place. This consolidated trove of knowledge represents a honeypot for hackers.
Ought to OpenAI’s business model evolve, it may additionally turn into a gold mine for extremely focused promoting.
OpenAI says it has tried to guard customers’ safety and has run 1000’s of hours of centered simulated assaults. It additionally says it has “added safeguards to deal with new dangers that may come from entry to logged-in websites and shopping historical past whereas taking actions in your behalf”.
Nonetheless, the corporate nonetheless acknowledges “brokers are vulnerable to hidden malicious directions, [which] may result in stealing knowledge from websites you’re logged into or taking actions you didn’t intend”.
A downgrade in browser safety
This marks a significant escalation in browser safety dangers.
For instance, sandboxing is a safety strategy designed to maintain web sites remoted and forestall malicious code from accessing knowledge from different tabs. The trendy internet is determined by this separation.
However in Atlas, the AI agent isn’t malicious code – it’s a trusted person with permission to see and act throughout all websites. This undermines the core precept of browser isolation.
And whereas most AI security considerations have centered on the expertise producing inaccurate data, immediate injection is extra harmful. It’s not the AI making a mistake; it’s the AI following a hostile command hidden within the setting.
Atlas is very susceptible as a result of it provides human-level management to an intelligence layer that may be manipulated by studying a single malicious line of textual content on an untrusted website.
Suppose twice earlier than utilizing
Earlier than agentic shopping turns into mainstream, we want rigorous third-party safety audits from impartial researchers who can stress-test Atlas’s defenses towards these dangers. We’d like clearer regulatory frameworks that define liability when AI brokers make errors or get manipulated. And we want OpenAI to show, not merely promise, that its safeguards can face up to decided attackers.
For people who find themselves contemplating downloading Atlas, the recommendation is easy: excessive warning.
When you do use Atlas, suppose twice earlier than you allow agent mode on web sites the place you deal with delicate data. Deal with browser reminiscences as a safety legal responsibility and disable them until you’ve a compelling purpose to share your full shopping historical past with an AI. Use Atlas’s incognito mode as your default, and keep in mind that each comfort function is concurrently a possible vulnerability.
The way forward for AI-powered shopping might certainly be inevitable, nevertheless it shouldn’t arrive on the expense of person safety.
OpenAI’s Atlas asks us to belief that innovation will outpace exploitation. Historical past suggests we shouldn’t be so optimistic.
- Uri Gal, Professor in Enterprise Info Techniques, University of Sydney
This text is republished from The Conversation underneath a Inventive Commons license. Learn the original article.
