OpenAI has openly acknowledged that prompt injection attacks—a sophisticated vulnerability where malicious instructions are concealed in web content, emails, or documents to manipulate AI agents—pose an intractable, long-term security threat to its ChatGPT Atlas browser, with no prospect of complete elimination.

In a comprehensive blog post published Monday titled “Continuously hardening ChatGPT Atlas against prompt injection attacks,” the company likened the issue to “ever-evolving online scams that target humans,” stating unequivocally: “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved.’”

The admission underscores fundamental challenges in securing “agentic” AI systems that autonomously interact with the open web. Launched on October 21, 2025, for macOS (with Windows, iOS, and Android versions forthcoming), Atlas integrates ChatGPT directly into browsing via a persistent sidebar for contextual queries, summarization, and analysis. Its standout “agent mode”—available in preview for Plus, Pro, Business, and select Enterprise/Edu users—allows the AI to perform multi-step tasks, such as navigating sites, clicking links, filling forms, managing emails, or automating workflows like meal planning and grocery ordering.

However, this autonomy dramatically “expands the security threat surface,” OpenAI noted.

Indirect prompt injections exploit the agent’s need to process untrusted content: attackers embed hidden commands (e.g., in invisible text on webpages or crafted emails) that override user intent, potentially leading to data exfiltration, unauthorized actions, or privacy breaches. Vulnerabilities surfaced immediately post-launch. Security researchers demonstrated exploits, including one where hidden text in a Google Doc altered browser behavior, and another via the Omnibox (combined address/search bar), treating malicious URLs as trusted prompts. Brave’s contemporaneous analysis deemed indirect prompt injection a “systematic challenge” for all AI browsers, citing Perplexity’s Comet as similarly affected.

Additional reports highlighted issues like “ChatGPT Tainted Memories” (a CSRF flaw that injects persistent instructions) and low phishing detection rates (Atlas blocking only ~5.8% of malicious sites versus Chrome’s 47%). Aligning with broader concerns, the U.K.’s National Cyber Security Centre (NCSC) warned earlier in December that prompt injections “may never be totally mitigated,” advising focus on risk reduction rather than eradication—echoing OpenAI’s stance. To counter this “Sisyphean” challenge, OpenAI detailed a proactive defense framework:

• LLM-based Automated Attacker: A reinforcement learning-trained bot simulates advanced hackers, iteratively crafting multi-step (tens to hundreds) attack chains in simulated environments. Leveraging access to the target’s internal reasoning traces—unavailable to external attackers—it uncovers novel exploits missed by human red teams.
• Rapid Response Loop: Discoveries feed into adversarial training for updated models, system-level safeguards, and monitoring enhancements. A recent update, triggered by automated red teaming, rolled out an adversarially trained checkpoint to all users.
• A demo illustrated the attacker’s prowess: It seeded a user’s inbox with a malicious email containing injected instructions. When the agent scanned for an out-of-office reply, it instead drafted a resignation to the CEO. Post-update, Atlas detected and flagged the attempt.

OpenAI has collaborated with third-party experts pre-launch and emphasizes user mitigations: mandatory confirmations for sensitive actions (e.g., emails, payments), “logged-out” mode to avoid credential exposure, narrow task instructions, and optional features like Browser Memories (opt-in, deletable, no training use for paid users).

Industry parallels abound. Anthropic employs similar red-teaming for Claude, while Google prioritizes architectural controls in agentic tools. Yet, experts remain cautious. Rami McCarthy, principal security researcher at Wiz, framed risk as “autonomy multiplied by access,” noting agentic browsers occupy a “challenging” high-access space.

“For most everyday use cases, agentic browsers don’t yet deliver enough value to justify their current risk profile,” McCarthy told TechCrunch, citing exposure to emails and payments.

As agentic AI proliferates, spanning OpenAI’s Atlas, Perplexity Comet, and emerging tools from Google/Anthropic, the prompt injection conundrum highlights systemic hurdles in trusting autonomous agents on the unfiltered internet.

The European Commission has welcomed Apple’s latest interoperability enhancements in the upcoming iOS 26.3 update, attributing them directly to the Digital Markets Act (DMA).

The commission described the changes as delivering “new opportunities” for European users and developers while fostering “a more inter-connected digital ecosystem to the benefit of all EU citizens.”

In a statement released Monday, the Commission highlighted two key features now available for testing in the iOS 26.3 beta, with full rollout expected across Europe in 2026. These updates are designed to level the playing field for third-party hardware manufacturers, allowing their devices to integrate more seamlessly with Apple’s ecosystem—capabilities previously reserved for Apple’s own products like AirPods and Apple Watch.

Proximity Pairing: Third-party accessories, such as wireless earbuds, headphones, or other Bluetooth-enabled devices, can now pair with an iPhone or iPad in a seamless, AirPods-like manner. Users simply bring the device close to their iOS device, triggering a one-tap setup process—no multi-step Bluetooth navigation required. This eliminates the cumbersome manual pairing often associated with non-Apple products, potentially boosting adoption of competitors like Sony’s WF-1000XM series or Bose QuietComfort earbuds.

Notification Forwarding: Non-Apple wearables, including smartwatches and fitness trackers, can receive and display iPhone notifications, allowing users to view messages, alerts, and even interact with them directly on the accessory. This mirrors functionality previously exclusive to the Apple Watch. However, notifications can only be routed to one connected device at a time: enabling it for a third-party accessory automatically disables forwarding to any paired Apple Watch. Users retain control, with privacy settings allowing selective forwarding, but this limitation ensures no overlap in ecosystem experiences.

These capabilities are currently in developer beta testing for third-party TVs, smartwatches, headphones, and other connected devices, with Apple providing APIs and documentation to facilitate integration.

The features are exclusive to the European Union, applying only to device manufacturers and iPhone/iPad users within the bloc, in direct compliance with DMA mandates that classify Apple as a “gatekeeper” and prohibit anti-competitive practices favoring its own hardware.

The DMA, enacted by the EU in 2022 and fully effective since March 2024, aims to curb the dominance of tech giants by promoting fair competition and consumer choice. It requires gatekeepers like Apple, Google, Amazon, Meta, Microsoft, and ByteDance to open their platforms, with fines up to 10% of global turnover for non-compliance—potentially $38 billion for Apple based on 2024 revenues.

This iOS 26.3 update stems from ongoing specification proceedings launched in September 2024, where the Commission outlined requirements for features like notifications, device pairing, and connectivity to prevent “self-preferencing.”

Apple’s compliance journey has been incremental and contentious. Previous DMA-driven changes include allowing alternative app stores and sideloading in iOS 17.4 (March 2024), opening NFC chip access for third-party payment apps in iOS 17.5 (May 2024), and enabling browser choice prompts. The company has repeatedly argued that such mandates compromise user privacy and security, warning of increased risks from malware or data breaches.

In a 2024 white paper, Apple estimated DMA compliance costs at over $1 billion annually, including engineering resources and lost ecosystem revenue. Despite this, EU regulators have imposed preliminary fines, such as a €1.8 billion penalty in March 2024 for App Store music streaming restrictions, currently under appeal.

Analysts have predicted a more competitive EU market, with third-party devices gaining up to 15-20% more adoption by 2027, per IDC estimates, reducing Apple’s ecosystem lock-in. For consumers, it means greater choice and potentially lower prices, though Apple warns of fragmented experiences.

Globally, similar regulations—like the U.S. Department of Justice’s antitrust case against Apple (ongoing since 2024)—could inspire broader changes, though Apple maintains these EU tweaks won’t extend outside the bloc without mandates. iOS 26.3 is anticipated for public release by late January 2026, following the beta cycle.

While these interoperability tweaks dominate EU-specific headlines, the update may include broader improvements like enhanced privacy tools or bug fixes, though details remain limited. Apple has consistently framed DMA compliance as challenging privacy and security standards, but has proceeded with implementations under regulatory pressure, avoiding fines thus far in this domain.

The company did not immediately comment on the Commission’s praise. However, the DMA scrutiny is forcing potential expansions to additional features like AirDrop, Wi-Fi sharing, or even iMessage integration. These updates signal growing openness in Apple’s iOS ecosystem for European consumers, even as debates persist over innovation versus regulation. With the EU’s digital single market valued at over €1 trillion, such shifts could reshape tech competition for years to come.