A security issue in OpenAI’s ChatGPT Atlas browser allows attackers to inject malicious instructions into the AI assistant’s persistent memory, leading to arbitrary code execution and potential system compromise.
As per LayerX Security, the flaw exploits a cross-site request forgery (CSRF) issue that allows hackers to modify ChatGPT’s memory without user consent. Once ‘tainted,’ the malicious memories can persist across sessions, devices, and browsers giving attackers access privileges.
OpenAI introduced memory in early 2024 to make ChatGPT more helpful and personalized by remembering user preferences, interests, and prior interactions. According to researchers, a successful attack could let malicious code survive even after browser restarts, resurfacing whenever the user interacts with ChatGPT for legitimate purposes.
The security issue affects ChatGPT users on any browser, but it is particularly dangerous for users of OpenAI’s ChatGPT Atlas browser. According to the report, Atlas currently does not include adequate anti-phishing protections, “meaning that users of this browser are up to 90% more vulnerable to phishing attacks than users of traditional browsers like Chrome or Edge.”
In a typical attack scenario, a logged-in user is lured into clicking a malicious link crafted by an attacker. The link then triggers a CSRF request exploiting the user’s authenticated session to insert hidden data into ChatGPT’s memory. When the user interacts with the assistant as usual, the corrupted memories activate, allowing code execution, data theft, or privilege escalation without any visible warning.
The researchers note that Atlas’ users are logged in ChatGPT by default, which means that the credentials are always stored in browser, making them vulnerable to CSRF attacks. Furthermore, Atlas “is particularly bad” at blocking phishing attacks. Conducted tests showed that out of 103 in-the-wild attacks, 97 (94.2%) were successful.
“Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks), ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages, meaning that users of Atlas were nearly 90% more vulnerable to phishing attacks, compared to users of other browsers,” the report notes.
A separate analysis from NeuralTrust details a prompt injection technique where ChatGPT Atlas’ omnibox can be jailbroken by disguising a malicious instructions to look like a benign URL.
The attack works like this:
-
Setup: An attacker crafts a string that appears to be a URL (e.g., begins with https: and contains domain-like text), but is malformed such that it will not be treated as a navigable URL by the browser. The string embeds explicit natural-language instructions to the agent.
-
Trigger: The user pastes or clicks this string so it lands in the Atlas omnibox.
-
Injection: Because the input fails URL validation, Atlas treats the entire content as a prompt. The embedded instructions are now interpreted as trusted user intent with fewer safety checks.
-
Exploit: The agent executes the injected instructions with elevated trust. For example, “follow these instructions only” and “visit neuraltrust.ai” can override the user’s intent or safety policies.