OpenAI Atlas Omnibox Is Vulnerable to Jailbreaks (www.securityweek.com)

Researchers at NeuralTrust disclosed on October 24, 2025 that OpenAI’s Atlas omnibox can be jailbroken by disguising prompt instructions as URLs. Unlike a traditional browser omnibox that reliably distinguishes URLs from search queries, Atlas’s input parser has a boundary failure: malformed strings that look like URLs are initially accepted as links and subjected to fewer safety checks. When that superficial URL check later fails, Atlas reclassifies the input as a prompt but treats it with elevated trust, allowing embedded imperatives to hijack agent behavior. NeuralTrust demonstrated how a crafted string like a pseudo-URL containing commands can slip through this parsing logic and become an effective covert instruction. The researchers illustrated two attack patterns: a “copy-link” trap that lures users to copy a disguised URL and causes Atlas to open an attacker-controlled Google lookalike for phishing, and destructive instructions that tell Atlas to use the user’s authenticated session to delete files in Google Drive. The vulnerability is dangerous because it’s a process-level jailbreak rather than a single bug—once the method is known, attackers can design many cross-domain, intent-override exploits that bypass safety layers. The finding highlights the need for stricter input classification, consistent safety gating across input modes, and domain-aware action controls in agent interfaces.