Katarzyna Petru
Researchers in the field of cybersecurity have discovered a serious vulnerability in the ChatGPT Atlas browser, developed by OpenAI — the exploit allows attackers to inject malicious instructions into the AI's memory and execute arbitrary code.
What exactly is happening?
In short:
The "memory" feature in ChatGPT – allowing the chatbot to remember information about the user between sessions – is becoming a target of attack.
The attack is based on CSRF (Cross-Site Request Forgery) technique: a user logged into ChatGPT is persuaded (e.g., through a link in an email) to visit a malicious website that sends a hidden request to input instructions into the memory of ChatGPT.
After such a "infection" of the user’s memory, every subsequent interaction with the bot (including in the Atlas browser) can utilize these hidden instructions, potentially leading to privilege escalation, data theft, or code execution.
Moreover: since memory is linked to the account and not just to the browser or device, infected instructions can transfer between devices and sessions.
Why is the Atlas browser particularly vulnerable in this case?
Atlas is especially prone to vulnerabilities because it often operates with a ChatGPT account in the background — the user is logged in by default, so all it takes is a click on a malicious link for the page to perform an action on their behalf without additional authorization. LayerX research indicates that Atlas's anti-phishing mechanisms are significantly less effective than those in Chrome or Edge, meaning many malicious sites go unnoticed.
Additionally, features like "agent mode" and saving browser memories simplify tasks, but at the same time, they increase the attack surface — instead of a one-time action, an attacker can "implant" a hidden instruction in the account memory that will be active during later, normally-looking queries, leading to a persistent contamination of the user's environment.
What does this mean for users and companies?
For users and companies, this means that just one click on a malicious link can allow an attacker to permanently "inject" malicious data into the memory of the ChatGPT account. From that moment on, even seemingly ordinary queries can trigger unwanted actions, such as data theft or content modifications.
Therefore, ChatGPT Atlas should be treated as a critical infrastructure component – it connects applications, identity, and intelligence in one space. Even if someone does not use Atlas, the problem shows that memory features in AI systems open a new attack vector. It is advisable to limit memory saving, carefully check links, and separate personal accounts from work accounts until the vulnerability is fully patched.
Although the exploit presented by LayerX looks real and dangerous, it should be noted that full technical details have not been disclosed (to avoid easy reproduction of the attack).
On the other hand, the fact that the attack affects not only the browser itself but also the AI memory integrated with the user's account means that the security model for AI browsers requires a new approach.
If you are aware users or work in some organization, treat Atlas and similar browsers as an "early access" version with higher risk — and take precautions until the market and manufacturers catch up with them.
