A critical vulnerability in OpenAI’s newly launched ChatGPT Atlas browser enables attackers to inject malicious instructions into ChatGPT’s memory and execute remote code on user systems.
This flaw, uncovered by LayerX, exploits Cross-Site Request Forgery (CSRF) to hijack authenticated sessions, potentially infecting devices with malware or granting unauthorized access. The discovery highlights escalating risks in agentic AI browsers, where integrated LLMs amplify traditional web threats.
Reported to OpenAI under responsible disclosure protocols, the vulnerability affects ChatGPT users across browsers but poses heightened dangers for Atlas adopters due to its always-on authentication and weak phishing defenses.
LayerX’s tests revealed that Atlas blocks only 5.8% of phishing attempts, compared to 47-53% for Chrome and Edge, making its users up to 90% more exposed. While OpenAI has not publicly detailed patches, experts urge immediate mitigations like enhanced token validation.
How the CSRF Exploit Targets ChatGPT Memory
The attack begins with a user logged into ChatGPT, storing authentication cookies or tokens in their browser. Attackers lure victims to a malicious webpage via phishing links, which then trigger a CSRF request leveraging the existing session.
This forged request injects hidden instructions into ChatGPT’s “Memory” feature, designed to retain user preferences and context across sessions without explicit repetition.
Unlike standard CSRF impacts like unauthorized transactions, this variant targets AI systems by tainting the LLM’s persistent “subconscious.”
Once embedded, malicious directives activate during legitimate queries, compelling ChatGPT to generate harmful outputs such as remote code fetches from attacker-controlled servers. The infection persists across devices and browsers tied to the account, complicating detection and remediation.
The attached diagram illustrates the attack flow: from credential hijacking to memory injection and remote execution.
Atlas’s default login to ChatGPT keeps credentials readily available, streamlining CSRF exploitation without additional token phishing.
LayerX evaluated Atlas against 103 real-world attacks, finding it permitted 94.2% to succeed, far worse than competitors like Perplexity’s Comet, which failed 93% in prior tests. This stems from the absence of built-in protections, turning the browser into a prime vector for AI-specific threats like prompt injection.
Broader research echoes these concerns; Brave’s analysis of AI browsers, including Atlas, exposed indirect prompt injections that embed commands in webpages or screenshots, leading to data exfiltration or unauthorized actions.
OpenAI’s agentic features, allowing autonomous tasks, exacerbate risks by granting the AI decision-making power over user data and systems.
Proof-of-Concept: Malicious ‘Vibe Coding’
In a demonstrated scenario, attackers target “vibe coding,” where developers collaborate with AI on high-level project intents rather than rigid syntax.
Injected memory instructions subtly alter outputs, embedding backdoors or exfiltration code in generated scripts, such as pulling malware from a server like “server.rapture.”
ChatGPT may issue subtle warnings, but sophisticated masking often evades them, allowing seamless delivery of tainted code. Users downloading these scripts risk system compromise, underscoring how AI flexibility invites abuse.
This PoC aligns with emerging exploits in tools like Gemini, where similar injections access shared corporate data.
As AI browsers proliferate, vulnerabilities like this demand robust safeguards beyond basic browser tech. Enterprises should prioritize third-party extensions for visibility, while users enable multi-factor authentication and monitor sessions.
LayerX’s findings reinforce that without swift updates, Atlas could redefine AI security pitfalls.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
