The browser is no longer just a window to the Internet and is becoming a tool that also operates within the web. In the case of Agent Mode in ChatGPT AtlasOpenAI explains that its agent views pages and can perform actions, clicks, and keystrokes within the browser, just as a person would. The promise is clear, to help in everyday flows with the same context and the same data. The consequence is also, the more power we concentrate in an agent, the more attractive he becomes to whoever seeks to manipulate him.
What is a prompt injection. In simple terms, a prompt injection is a technique that seeks to sneak malicious instructions into apparently normal content so that an artificial intelligence system interprets them as legitimate orders. IBM describes it as a type of cyber attack against language models in which malicious inputs are camouflaged as valid prompts to manipulate the behavior of the system. The objective can range from forcing inappropriate responses to causing information leaks or diverting a task, without the need to exploit classic software vulnerabilities.
The root of the problem is less “magical” than it seems and more structural. Many language model applications combine developer instructions and user input as natural language text strings, without rigid separation by data type. The model decides what to prioritize based on learned patterns and the context of the text itself, not because there is an infallible boundary between “order” and “content.” If an external instruction is formulated convincingly, it may gain weight even though it should not.
When the context becomes unfathomable. The risk is amplified when the agent does not process a single message, but rather goes through very different sources within the same order. OpenAI warns of a practically unlimited surface, emails and attachments, calendar invitations, shared documents, forums, social networks and arbitrary web pages. In that journey, the agent may encounter unreliable instructions mixed with legitimate content. The user doesn’t always see every step, but the system does consume it, and that’s where manipulation can creep in.
The disturbing thing is that this can fit into ordinary workflows without raising any obvious alarm. The AI signature describes an example where an attacker “seeds” an inbox with a malicious email, and later, when the user requests a harmless task, the agent reads that message during normal execution. In one case, the result is intentionally extreme, the agent ends up sending a resignation email instead of composing an automatic response. All this thanks to an external attack.
Why there is no perfect shielding. In cybersecurity there is a widely assumed idea, no system is completely secure, and OpenAI frames prompt injection as a persistent problem. In his text he formulates it like this: “We hope that attackers continue to adapt. The injection of prompts, such as scams and social engineering on the web, will hardly be completely resolved.” The objective, therefore, is not to promise invulnerability, but to raise the cost of the attack and reduce the impact when something fails.
In this context, those led by Sam Altman explain that it has deployed a security update for the Atlas agent motivated by a new class of attacks discovered through network teaming automated internal. The company says the delivery includes an adversarially trained agent model and strengthened safeguards around the system, intended to improve its resistance to unwanted instructions during navigation.
What we do still matters. OpenAI recommends using the offline agent when you don’t need to access sites with an account, and calmly review confirmation requests for sensitive actions, such as sending an email or completing a purchase. He also advises giving explicit and limited instructions, avoiding overly broad assignments that force the agent to go through large volumes of content. It does not eliminate risk, but it reduces opportunities for manipulation and helps existing controls work as designed.
Images | OpenAI
In Xataka | How often should we change ALL our passwords according to three cybersecurity experts
GIPHY App Key not set. Please check settings