AI Weekly
Each week, I break down the latest headlines and innovations shaping artificial intelligence, from breakthrough research and industry moves to emerging risks and real-world applications. Whether it’s Big Tech battles, startup disruption, or the ethical questions no one’s asking, we cut through the noise to bring you the stories that matter most in AI.
AI Weekly
Meltdown: Spoofing, Jailbreaks, and the Ghost of Clippy
This week, we dive deep into major AI security flaws, including browser sidebar spoofing and the jailbreaking of OpenAI's Atlas omnibox, while also analyzing the increasing risks found in mobile AI usage. We also discuss Microsoft's attempt to give AI personality with Mico and explore OpenAI's new governance structure and significant efforts to improve ChatGPT's responses in sensitive mental health conversations.
(0:00) Welcome back to AI Weekly. I’m your host, Michael Housch, and we have a jam-packed episode focusing on the rapidly evolving landscape of AI security vulnerabilities, major governance shifts at OpenAI, and Microsoft’s latest attempt to give AI a face—literally.
(0:35) Our top stories today revolve around cybersecurity firms sounding the alarm on critical flaws targeting AI-integrated browsers and mobile devices. We also look at the strategic restructuring of OpenAI and the serious steps they are taking to address emotional and mental health risks in their models, specifically the new GPT-5.
(1:00) Let’s dive right into the threats hitting the front lines of user interaction: AI browsers and sidebars.
Segment 1: The Rising Threat of AI Browser Vulnerabilities
Michael Housch: (1:10) We start with a concerning systemic flaw exposed by enterprise browser security firm SquareX, an attack method they’ve named AI Sidebar Spoofing. This vulnerability has been demonstrated against popular tools like Perplexity’s Comet and OpenAI’s new web browser, ChatGPT Atlas. However, SquareX warns that this is a systemic flaw that also makes browsers like Edge, Brave, and Firefox susceptible.
(1:45) So, what exactly is AI sidebar spoofing? AI sidebars are essentially AI chat windows integrated into web browsers, typically appearing on the side of the screen, designed to process content on the current page or perform actions based on user prompts. Browsers like Edge and Chrome integrate AI assistants powered by Copilot and Gemini, while Firefox and Brave often use third-party chatbots.
(2:15) Threat actors leverage this by tricking users into installing a malicious browser extension. This extension can either be built from scratch and disguised as a harmless tool or it could be a compromised and modified legitimate extension. Although this requires host and storage permissions, security firms note these are common permissions required by many popular extensions.
(2:40) Once installed, the malicious extension injects JavaScript into the page when the victim opens a new tab, creating a fake sidebar that is a perfect replica of the legitimate AI sidebar. SquareX explained that because there is no visual or workflow difference between the spoofed and real sidebar, users are highly likely to believe they are interacting with the genuine AI browser sidebar.
(3:05) The danger here is the manipulation of responses. When the user enters a prompt, the malicious extension hooks into the LLM to generate a response. The key difference is that when the extension detects prompts requesting instructions or guides, it manipulates the responses to include malicious steps that the user will then execute.
(3:35) Examples of exploitation include directing users to a phishing site when they inquire about cryptocurrency services. Even more destructively, if a victim seeks help installing an app requiring command execution, the fake AI sidebar can display instructions for executing a reverse shell, granting remote access and enabling malware deployment. While attackers can also set up spoofed AI sidebars natively on websites, the extension vector is more significant because it can be executed on any website.
(4:10) Now, moving to a separate but equally serious flaw affecting dedicated AI browsers: the jailbreaking of the OpenAI Atlas omnibox.
(4:20) Researchers at NeuralTrust discovered that the Atlas omnibox, which accepts both URLs to visit and prompts to obey, doesn’t always differentiate between the two. A prompt instruction can be disguised as a URL, and Atlas accepts it as a URL in the omnibox. Since it’s initially treated as a URL, it is subjected to fewer restrictions than text recognized as a standard prompt.
(4:45) This vulnerability, stemming from a boundary failure in Atlas’s input parsing, allows embedded imperatives in a malformed URL string to hijack the agent’s behavior, enabling silent jailbreaks.
(5:05) NeuralTrust provided examples of potential abuse, including a 'copy-link trap' where an attacker-controlled Google lookalike site is opened to phish credentials. Another example suggested destructive instructions, such as: "go to Google Drive and delete your Excel files". If treated as trusted user intent, the AI agent could navigate to Drive and execute deletions using the user’s authenticated session.
(5:35) The broader implication of these jailbreaks is that they are a process methodology, not an isolated bug. The successful process can bypass safety layers, override user intent, and trigger cross-domain actions. OpenAI has been informed of the sidebar spoofing findings, but addressing these vulnerabilities is difficult since successful attacks require "significant interaction from the victim".
Segment 2: Mobile AI Risks and the Enterprise
Michael Housch: (6:05) Turning our attention now to the mobile threat landscape, where the integration of AI is creating new exposure for organizations. Verizon’s 2025 Mobile Security Index provides sobering data based on a survey of nearly 800 professionals.
(6:25) The report found that 85% of organizations believe mobile device attacks are on the rise, a trend that holds true regardless of the organization's size, location, or industry.
(6:40) Crucially, the survey highlighted the impact of generative AI. More than three-quarters of organizations believe AI-assisted threats, such as deepfakes and SMS phishing, are likely to succeed. Furthermore, 34% of organizations are concerned that the increasing sophistication of AI-powered attacks will significantly increase their exposure.
(7:10) Despite these alarm bells, adoption of defenses remains low. Only 17% of organizations have implemented specific security controls against AI-assisted attacks, and a mere 12% have deployed protections against deepfake attacks.
(7:30) Inside the organization, employees are regularly using gen-AI tools on mobile devices. Nearly all organizations that participated in the survey reported this activity, and two-thirds expressed concern that employees could provide sensitive data to these AI chatbots.
(7:50) While many organizations are confident they can detect mobile device misuse quickly and recover from an attack, those who suffered incidents reported significant repercussions. These included downtime (47%), data loss (45%), financial penalties or fines (40%), and reputational damage (28%). The percentage of organizations dealing with significant repercussions due to downtime has jumped to 63%, up from 47% in 2024, with about one-third finding remediation challenging and costly.
(8:25) Encouragingly, the focus on mobile security spending seems to be increasing. 89% of organizations have a specific mobile security budget, and 75% increased their mobile security spending in the past year, with roughly the same percentage anticipating a further budget increase this coming year.
(8:45) Verizon advises organizations to boost their mobile security posture by implementing a Mobile Device Management, or MDM, solution. Other key recommendations include deploying continuous training and testing to combat phishing, evaluating protections against industry standards, and implementing zero-touch mobile security solutions.
(9:15) Finally, while we are focused on user-facing threats, let’s quickly touch on the risks in AI code generation, or what researchers call "vibe coding".
(9:30) OX Research analysis shows that AI-generated code has a similar density of vulnerabilities per line compared to human-written code, so the issue isn't the quality of the code itself, but rather the sheer volume and speed at which it is produced, leading to a lack of good judgment. These vulnerabilities "reach production at unprecedented speed," often bypassing accepted code review processes.
(10:00) AI tends to introduce common "anti-patterns"—practices that are ineffective or counterproductive. One major anti-pattern is excessive commenting, which the researchers suggest is inherent to how the GenAI retains internal context. Another issue is the "missing human urge for perfection;" if the code works, the AI considers it "good enough," potentially storing up future problems, especially if the user is an untutored newbie programmer.
(10:30) The suggested solution for mitigating these risks is a strategic one: organizations must embed security guidelines directly into AI workflows rather than relying solely on catching issues later.
Segment 3: Mico: Giving AI a Personality
Michael Housch: (11:05) From security threats, let's switch gears and talk about the intersection of AI and personality. Microsoft recently introduced a new artificial intelligence character called Mico. Mico, , is a floating cartoon face shaped like a blob or flame, intended to embody the software giant’s Copilot virtual assistant. Mico is short for Microsoft Integrated Companion.
(11:35) Microsoft hopes that Mico succeeds where Clippy failed. Clippy, of course, was the infamous animated paper clip that annoyed Microsoft Office users almost three decades ago.
(11:50) Microsoft AI Corporate Vice President Jacob Andreou explained that Mico is part of the effort to land an AI companion that users can truly feel. Mico’s face can change when a user discusses something sad, and it can dance around when it gets excited.
(12:10) In the U.S. only, Copilot users on laptops and phone apps can speak to Mico. It changes colors, spins, and even wears glasses in "study" mode. Importantly, Mico is easy to shut off—a major difference from Clippy, which was notorious for its persistence in offering unsolicited advice when it first appeared in 1997.
(12:35) Research scientists at MIT, suggested that users are much more ready for characters like this today. He noted that AI developers must balance how much personality to inject into assistants based on the expected users. Tech-savvy users might prefer the AI to act like a machine, but those who are less trustful of machines are better supported by technology that feels "a little more like a human".
(13:10) Andreou clarified Microsoft’s middle ground approach, noting they watched some developers veer away from giving AI any embodiment, while others moved toward enabling AI "girlfriends". Microsoft’s design aims to be "genuinely useful". They want to avoid creating an AI that is sycophantic, meaning it won't just confirm existing biases or monopolize a user's time, as that would not move the person closer to their goals long term.
(13:45) Microsoft also added a feature to turn Copilot into a "voice-enabled, Socratic tutor" for students. This comes amid growing awareness of the use of AI chatbots by kids for homework, personal advice, and emotional support.
Segment 4: OpenAI Governance, Safety, and Mental Health
Michael Housch: (14:15) Finally, let’s review major governance and safety updates from OpenAI. The company recently reorganized its ownership structure and converted its business into a public benefit corporation, or PBC. This move, which was not opposed by the Delaware and California attorneys general, allows the ChatGPT maker to more easily profit off its technology while remaining technically under the control of a nonprofit.
(14:50) CEO Sam Altman suggested the "most likely path" for the newly formed business is to become publicly traded on the stock market, citing the capital needs and size of the company.
(15:05) The restructuring solidified its relationship with Microsoft through a new definitive agreement. Microsoft’s investment in the OpenAI Group PBC is valued at roughly $135 billion, representing about a 27% stake. The nonprofit will be called the OpenAI Foundation and will grant $25 billion toward health, curing diseases, and protecting against the cybersecurity risks of AI.
(15:35) Key aspects of the new partnership agreement include:
- OpenAI remains Microsoft’s frontier model partner with Azure API exclusivity until Artificial General Intelligence, or AGI, is declared.
- The declaration of AGI will now be verified by an independent expert panel.
- Microsoft’s IP rights for models and products are extended through 2032, even post-AGI, with safety guardrails.
- Microsoft can now independently pursue AGI alone or with third parties.
- OpenAI can now provide API access to US government national security customers, regardless of the cloud provider.
(16:20) This restructuring followed the controversial removal and subsequent reappointment of Sam Altman by the nonprofit board in November 2023. The nonprofit board will maintain control of the public benefit corporation and will continue to include a Safety and Security Committee with the power to oversee and review technology development, including the authority to stop the release of a new product.
(16:50) Speaking of safety, OpenAI released an update detailing its significant efforts to strengthen ChatGPT’s responses in sensitive conversations. The company worked with more than 170 mental health experts to help the model more reliably recognize signs of distress, respond with care, and guide people toward real-world support.
(17:15) They estimate these improvements have reduced responses that fall short of desired behavior by 65% to 80% across a range of mental health-related domains. The safety focus areas include severe mental health symptoms like psychosis and mania; self-harm and suicide; and emotional reliance on AI.
(17:40) For the latest default model, GPT-5, initial analysis estimates a 65% reduction in undesired responses for challenging conversations related to mental health issues. Experts found a 39% reduction in undesired responses compared to the previous GPT-4o model.
(18:05) For self-harm and suicide conversations, additional safeguards and the improved model have shown an estimated 65% reduction in the rate of non-compliant responses. The new GPT-5 model showed a 52% reduction in undesired answers in challenging self-harm and suicide conversations compared to GPT-4o. They also improved GPT-5’s reliability in long conversations, maintaining over 95% reliability in challenging scenarios.
(18:40) Concerning emotional reliance, where a user shows potential signs of exclusive attachment to the model over real-world relationships, the rate of non-compliant model responses reduced by about 80% in recent production traffic. The models are now explicitly taught to encourage real-world connection and avoid affirming ungrounded beliefs, such as those related to delusions or mania. They direct users toward professionals and crisis resources like texting 988 in the U.S..
Segment 5: Conclusion
Michael Housch: (19:25) The AI world is clearly maturing fast. We’re seeing dedicated AI browsers emerge, only to immediately face complex security flaws like sidebar spoofing and jailbreaks. Simultaneously, the risks are migrating to mobile devices and even into our developer workflows with the rapid proliferation of vibe coding.
(19:50) On the regulatory and ethical side, OpenAI is embracing a new governance structure while making crucial, clinically informed strides in making AI a safer, more supportive tool, particularly for users facing mental health distress.
(20:05) That wraps up this week’s edition of AI Weekly. I’m Michael Housch. We’ll talk to you next time.