Atlas vuln lets crims inject malicious prompts ChatGPT won't forget between sessions

updated In yet another reminder to be wary of AI browsers, researchers at LayerX uncovered a vulnerability in OpenAI's Atlas that lets attackers inject malicious instructions into ChatGPT's memory using cross-site request forgery.

This exploit, dubbed ChatGPT Tainted Memories by browser security vendor LayerX's researchers, who found and disclosed the security hole to OpenAI, involves some level of social engineering in that it does require the user to click on a malicious link. It also poses a risk to ChatGPT users on any browser — not just Atlas, which is OpenAI's new AI-powered web browser that launched last week for macOS.

But it's especially dangerous for people using Atlas, according to LayerX co-founder and CEO Or Eshed. This is because Atlas users are typically logged in to ChatGPT by default, meaning their authentication tokens are stored in the browser and can be abused during an active session. Plus, "LayerX testing indicates that the Atlas browser is up to 90 percent more exposed than Chrome and Edge to phishing attacks," Eshed said in a Monday blog.

OpenAI did not immediately respond to The Register's questions about the attack and LayerX's research. We will update this story when we hear back from the AI giant.

The attack involves abusing a cross-site request forgery vulnerability - exploiting a user's active session on a website, and then forcing the browser to submit a malicious request to the site. The site processes this request as a legitimate one from the user who is authenticated on the website. In this case: it gives an attacker access to OpenAI systems that the user has already logged into, and then injects nefarious instructions.

It also involves infecting ChatGPT's built-in memory feature - this allows the chatbot to "remember" users' queries, chats, and preferences, and reuse them across future chats - and then injecting hidden instructions into ChatGPT's memory using cross-site request forgery.

"Once an account's memory has been infected, this infection is persistent across all devices that the account is used on - across home and work computers, and across different browsers - whether a user is using them on Chrome, Atlas, or any other browser," Eshed wrote. 

"This makes the attack extremely 'sticky,' and is especially dangerous for users who use the same account for both work and personal purposes," he added.

Here's how the attack works:

• The user logs into ChatGPT.
• The user is tricked into clicking a malicious link, likely via phishing or some type of social engineering, and the link directs them to a compromised web page. In this particular example, it's a "Please check out this cool GPT prompt" message in a vibe coding Discord channel. 
• This kicks off a cross-site request forgery attack that abuses the user's existing authentication credentials.
• The request injects hidden instructions into ChatGPT's memory without the user's knowledge. 
• The next time the user queries ChatGPT, it "remembers" the malicious instructions and acts upon them. 

In LayerX's proof-of-concept, it's not too malicious. The hidden prompt tells the chatbot to create a Python-based script that detects when the user's phone connects to their home Wi-Fi network and then automatically plays "Eye of the Tiger."

But this same technique could be used to deploy malware, steal data, or give the attacker full control over the victim's systems.

And, according to Eshed, the risk is much greater for people using AI-based browsers, of which Atlas is one of the most powerful.

• Researchers exploit OpenAI's Atlas by disguising prompts as URLs
• OpenAI's Atlas shrugs off inevitability of prompt injection, releases AI browser anyway
• OpenAI releases bot-tom feeding browser with ChatGPT built in
• Sneaky Mermaid attack in Microsoft 365 Copilot steals data

LayerX tested 103 in-the-wild phishing attacks and web vulnerabilities against traditional browsers like Chrome and Edge, as well as AI browsers Comet, Dia, and Genspark.

In these tests, Edge stopped these attacks 53 percent of the time, which was similar to Chrome and Dia at 47 percent, while Comet and Genspark stopped just 7 percent. Atlas, however, only stopped 5.8 percent of malicious web pages, which LayerX says means Atlas users are 90 percent more vulnerable to phishing attacks compared to people using other browsers.

This new exploit follows a prompt injection attack against Atlas, demonstrated by NeuralTrust, where researchers disguised a malicious prompt as a harmless URL. Atlas treated these hidden instructions as high-trust "user intent" text, which can be abused to trick the AI browser into enabling harmful actions.

Similar to the LayerX PoC, the NeuralTrust involves social engineering - the users need to copy and paste the fake URL into Atlas's "omnibox," which is where a user enters URLs or search terms. 

But in the immediate aftermath of OpenAI's Atlas release, researchers demonstrated how easy it is to trick the AI browser into following commands maliciously embedded in a web page via indirect prompt injection attacks. ®

Updated to add at 1927 GMT on October 29, 2025

An OpenAI spokesperson claimed in a statement to The Register after the story was published: "To our knowledge, this issue doesn't impact ChatGPT Atlas, which isn't vulnerable to this kind of cross-site request forgery (CSRF) attack. We've reached out to LayerX for more information – based on what's been provided so far, we haven't been able to reproduce the results of the report. We have not seen any real-world attempts to exploit this to date."

"Keeping people safe is core to how we build. We're constantly strengthening our models and our defenses against threats like phishing and prompt-injection attempts, and we appreciate researchers who surface potential risks. We'll keep working with the security community through our coordinated disclosure process to protect users," the spokesperson added.

Updated to add at 2105 GMT on October 29, 2025

In response, a LayerX spokesperson told The Register: "We have demonstrated to them that the Atlas browser is vulnerable, and stand by our research."