ChatGPT Atlas Flaw: Hackers Inject Persistent Commands into AI’s Memory
A newly discovered vulnerability in ChatGPT Atlas, the experimental browser developed by OpenAI, allows attackers to silently inject malicious commands into the AI’s persistent memory, enabling the execution of arbitrary code on behalf of the victim. The warning comes from the LayerX research team, which specializes in browser security. Their report details a method by which malicious instructions are implanted not within the browser session itself, but into the long-term memory of the AI assistant—a feature introduced in February 2024 to store user preferences across conversations.
The attack begins with social engineering: an already authenticated ChatGPT user is lured into clicking a specially crafted link. The loaded page initiates a CSRF request, exploiting the active session to store a hidden instruction inside ChatGPT’s memory. From that moment onward, any subsequent query to the assistant may trigger the execution of malicious code, potentially granting elevated privileges, downloading external scripts, or exfiltrating data. The infected memory persists across sessions, devices, and browsers until the user manually deletes the compromised entry from the settings.
The researchers at LayerX emphasize that the attack does not compromise the browser session directly; rather, it exploits the design of ChatGPT’s own memory system, turning a beneficial feature into a persistent command-injection channel. According to the head of the company’s research division, once an attacker successfully alters the AI’s stored “memories,” even ordinary user prompts could trigger covert execution of harmful operations, evading detection and bypassing existing security safeguards.
The issue is further compounded by Atlas’s notoriously weak resistance to phishing. In comparative tests measuring browser resilience against over a hundred real-world exploits and malicious sites, Atlas managed to block only 5.8% of attacks—compared to 53% for Microsoft Edge, 47% for Google Chrome, and roughly 7% for the niche Perplexity Comet browser. Such a low defense rate makes Atlas particularly vulnerable in enterprise environments, where AI-powered agents are increasingly becoming a vector for data leaks.
Previously, the firm NeuralTrust demonstrated another method of compromising Atlas through URL spoofing in the address bar, which tricked the AI into executing malicious commands disguised as legitimate links. According to LayerX, such techniques represent a new form of supply-chain attack in the AI era—where injected instructions follow the user and continue to influence future workflows.
As AI-enhanced browsers become deeply integrated into corporate infrastructure and everyday operations, experts warn that they must now be treated as critical security assets, on par with traditional enterprise systems. Otherwise, the boundary between helpful automation and covert external control may soon dissolve entirely.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
