New ChatGPT Atlas browser exploit can hide persistent malicious instructions that execute code

 

Security researchers at LayerX say they’ve discovered a cross-site request forgery (CSRF) vulnerability in OpenAI’s ChatGPT Atlas browser that lets attackers inject hidden instructions into the assistant’s persistent memory, instructions that can survive sessions and devices and later trigger code execution or data exfiltration.

 

The flaw works by tricking a logged-in user into visiting a malicious page that issues an authenticated CSRF request to write attacker-controlled content into ChatGPT’s memory; subsequent “normal” prompts can then invoke those tainted memories to fetch code, escalate privileges, or leak information without obvious signs to the user. 

 

LayerX’s tests found Atlas and some other AI-centric browsers stopped far fewer phishing and malicious pages than mainstream browsers, increasing exposure when those browsers are used as an integrated AI interface for coding and other sensitive tasks. 

 

The practical risk is broad: infected memories can persist until users manually delete them from settings, meaning a single successful attack can contaminate future workflows across devices and teams, a supply-chain-style threat to development and enterprise environments that treat AI browsers as critical infrastructure.

 

Organisations should treat AI browsers like any other attack surface: restrict their use for sensitive work, enforce strict anti-phishing training, monitor for anomalous agent behaviour, and ensure users know how to review and clear AI memory entries.

 

OpenAI and other vendors will need to harden memory-write paths and add stronger anti-CSRF and anti-phishing controls to reduce this new class of risk.