27.10.2025
2 min
514
Cybersecurity experts have discovered a critical vulnerability in ChatGPT Atlas that allows attackers to inject malicious commands without the user’s knowledge. The attack uses a combination of CSRF exploit and persistent memory, allowing malicious code to persist across sessions and even devices.
According to LayerX Security, the vulnerability in ChatGPT Atlas browser allows manipulation of the AI’s memory, which poses a risk of remote code execution and data theft. The attack works simply: a user logs into their ChatGPT account, opens a phishing link, after which the malicious site sends a CSRF request that modifies the assistant’s memory. Any normal access to ChatGPT would then trigger hidden instructions that could execute malicious code, escalate privileges, or leak data to third parties.
Experts say this vulnerability is particularly dangerous because it affects ChatGPT’s persistent memories, not just the active browser session. This means that the infection could survive a device or browser change, remaining in the AI’s memory until the user manually deletes it.
The memory feature, which OpenAI introduced in February 2024, was designed to personalize ChatGPT’s responses — remembering your name, preferences, the context of previous conversations, and so on. However, this advantage has now become a new type of attack vector. LayerX’s research showed that ChatGPT Atlas has a significantly lower level of protection against phishing than classic browsers: Chrome blocks 47% of attacks, Edge — 53%, while Atlas — only 5.8%.
In addition, NeuralTrust demonstrated a related attack — prompt injection, which allows you to bypass restrictions through fake links in the address bar. This emphasizes the scale of the problem — AI agents are increasingly becoming channels for corporate data leakage.
Experts call for considering AI browsers as critical infrastructure, as they combine applications, user identification and intelligence into a single threat contour. The “Tainted Memories” vulnerability demonstrates a new type of cyberthreat — when AI itself can be used as a tool for constant espionage. Users are advised to regularly clear ChatGPT memory, do not follow suspicious links, and limit the use of ChatGPT Atlas on corporate networks.
