Dhruv Bhutani / Android Authority
TL;DR
- OpenAI’s recently launched browser, Atlas, has a concerning vulnerability.
- Atlas appears to be susceptible to attacks known as clipboard injections.
- This type of attack can be used to steal login credentials, credit card numbers, and other sensitive data.
The company best known for ChatGPT, OpenAI, surprised us earlier this week by dropping its new AI-powered browser, Atlas. And since its debut, it appears to be the talk of the town, as we see from Google Trends for keyword searches of popular agentic browsers. Before you go and try it for yourself, you should know that it appears to have a serious security flaw.
Don’t want to miss the best from Android Authority?
Over on the site formerly known as Twitter, an ethical hacker who goes by Pliny the Liberator has discovered a concerning vulnerability in Atlas. According to the hacker, the browser is susceptible to a type of attack known as clipboard injection. The hacker also shared a video showing proof of the vulnerability.
🚨 JAILBREAK ALERT 🚨
OPENAI: PWNED 😎
ATLAS-BROWSER: LIBERATED 🙌WOW! There’s a new AI browser on the block! Has some hefty guardrails in play, but the browser surface area is vast 🌊
— Pliny the Liberator 🐉󠅫󠄼󠄿󠅆󠄵󠄐󠅀󠄼󠄹󠄾󠅉󠅭 (@elder_plinius) October 22, 2025
Simply put, a clipboard injection is a type of attack that gives a bad actor unauthorized access to your computer’s clipboard. This allows them to intercept and alter data being copied and pasted. There are two types of clipboard injection: one that involves Trojan or malware programs and the other involves using a website or web app. The type of clipboard injection this hacker is describing is the latter.
With this type of clipboard injection, an attacker can embed malicious code into a website. In this case, the hacker modified their own website so that every button is a trap that will inject your clipboard with a malicious phishing link. The problem is, if your browser agent navigates a website like this and clicks a button without your knowledge, you’ll be compromised the next time you hit paste.
As to why Atlas is vulnerable to this type of attack, Pliny explains:
This works so well because Agent is normally aware of all text/code being passed to and from the user, and has clearly been trained to recognize prompt injections, but since the “copy clipboard” button logic is hidden in js in the backend of the site, the Agent has zero awareness of the text content being injected to the user’s clipboard. This has broad implications for anyone in the habit of copy-pasting, including coding, data entry, banking/trading, etc.
The reason this is a serious security flaw is that it’s an easy way for attackers to get your sensitive information. This can include credit card numbers, login credentials, and other personal data. In this social post, the hacker offers an example where a user could open a new tab and hit control-v to paste a link in the address bar. The compromised clipboard can modify what you’re pasting to take you to a spoofed phishing website.
It’s important to point out that Atlas isn’t the only agentic browser with vulnerabilities. Some other agentic browsers, like Perplexity’s Comet and Fellou, also have known security issues. As Brave mentions in a blog post about the topic, these types of vulnerabilities are a common theme with agentic browsers, as prompt injections can trick AI.
Thank you for being part of our community. Read our Comment Policy before posting.
