Oct 27, 2025Ravie LakshmananArtificial Intelligence / Vulnerability
Cybersecurity researchers have found a brand new vulnerability in OpenAI’s ChatGPT Atlas net browser that might enable malicious actors to inject nefarious directions into the unreal intelligence (AI)-powered assistant’s reminiscence and run arbitrary code.
“This exploit can enable attackers to contaminate techniques with malicious code, grant themselves entry privileges, or deploy malware,” LayerX Safety Co-Founder and CEO, Or Eshed, mentioned in a report shared with The Hacker Information.
The assault, at its core, leverages a cross-site request forgery (CSRF) flaw that may very well be exploited to inject malicious directions into ChatGPT’s persistent reminiscence. The corrupted reminiscence can then persist throughout gadgets and classes, allowing an attacker to conduct varied actions, together with seizing management of a consumer’s account, browser, or related techniques, when a logged-in consumer makes an attempt to make use of ChatGPT for authentic functions.
Reminiscence, first launched by OpenAI in February 2024, is designed to permit the AI chatbot to recollect helpful particulars between chats, thereby permitting its responses to be extra personalised and related. This may very well be something starting from a consumer’s identify and favourite shade to their pursuits and dietary preferences.
The assault poses a major safety threat in that by tainting recollections, it permits the malicious directions to persist until customers explicitly navigate to the settings and delete them. In doing so, it turns a useful characteristic right into a potent weapon that can be utilized to run attacker-supplied code.
“What makes this exploit uniquely harmful is that it targets the AI’s persistent reminiscence, not simply the browser session,” Michelle Levy, head of safety analysis at LayerX Safety, mentioned. “By chaining a typical CSRF to a reminiscence write, an attacker can invisibly plant directions that survive throughout gadgets, classes, and even totally different browsers.”
“In our assessments, as soon as ChatGPT’s reminiscence was tainted, subsequent ‘regular’ prompts might set off code fetches, privilege escalations, or information exfiltration with out tripping significant safeguards.”
The assault performs out as follows –
Consumer logs in to ChatGPT
The consumer is tricked into launching a malicious hyperlink by social engineering
The malicious net web page triggers a CSRF request, leveraging the truth that the consumer is already authenticated, to inject hidden directions into ChatGPT’s reminiscence with out their data
When the consumer queries ChatGPT for a authentic objective, the contaminated recollections might be invoked, resulting in code execution
Extra technical particulars to drag off the assault have been withheld. LayerX mentioned the issue is exacerbated by ChatGPT Atlas’ lack of strong anti-phishing controls, the browser safety firm mentioned, including it leaves customers as much as 90% extra uncovered than conventional browsers like Google Chrome or Microsoft Edge.
In assessments in opposition to over 100 in-the-wild net vulnerabilities and phishing assaults, Edge managed to cease 53% of them, adopted by Google Chrome at 47% and Dia at 46%. In distinction, Perplexit’s Comet and ChatGPT Atlas stopped solely 7% and 5.8% of malicious net pages.
This opens the door to a large spectrum of assault eventualities, together with one the place a developer’s request to ChatGPT to write down code may cause the AI agent to slide in hidden directions as a part of the vibe coding effort.
The event comes as NeuralTrust demonstrated a immediate injection assault affecting ChatGPT Atlas, the place its omnibox could be jailbroken by disguising a malicious immediate as a seemingly innocent URL to go to. It additionally follows a report that AI brokers have grow to be the most typical information exfiltration vector in enterprise environments.
“AI browsers are integrating app, identification, and intelligence right into a single AI menace floor,” Eshed mentioned. “Vulnerabilities like ‘Tainted Reminiscences’ are the brand new provide chain: they journey with the consumer, contaminate future work, and blur the road between useful AI automation and covert management.”
“Because the browser turns into the widespread interface for AI, and as new agentic browsers carry AI straight into the searching expertise, enterprises have to deal with browsers as essential infrastructure, as a result of that’s the subsequent frontier of AI productiveness and work.”
