New ChatGPT Atlas Browser Exploit Lets Attackers Plant Hidden, Lasting Commands
Cybersecurity experts have uncovered a serious flaw in OpenAI’s ChatGPT Atlas browser — one that could let hackers secretly plant harmful commands inside the AI’s memory and even run their own code.
“This exploit gives attackers a frightening level of control — they can slip in malicious code, steal access, or install malware without users even realizing,” warned Or Eshed, Co-Founder and CEO of LayerX Security, in a report shared with The Hacker News.
At the heart of this discovery is a cross-site request forgery (CSRF) weakness. In simple terms, it allows hackers to sneak instructions into ChatGPT’s persistent memory — the part of the AI that “remembers” details between chats. Once this memory is infected, it doesn’t just vanish; it lingers across sessions and devices. That means the next time a user opens ChatGPT for something totally innocent, like asking it to write code or summarize an email, those hidden instructions could suddenly come alive.
OpenAI introduced the memory feature back in February 2024 to make ChatGPT more personal and helpful — remembering things like your name, favorite color, or writing style. It was meant to make conversations feel more human. But now, researchers say that same helpful memory could be turned into a digital trap.
The danger lies in how persistent these “tainted memories” are. They stay buried until a user goes into settings and deletes them manually — something most people would never think to do. What was supposed to be a friendly assistant’s memory can suddenly become a hacker’s hidden weapon.
“What makes this exploit particularly scary,” explained Michelle Levy, Head of Security Research at LayerX, “is that it doesn’t just hijack your browser session. It buries itself in the AI’s long-term memory. That means the malicious commands can survive across devices, browsers, and even fresh sessions.”
LayerX researchers said their tests revealed just how sneaky this can get. Once the memory is compromised, even normal ChatGPT prompts could trigger harmful actions like fetching malicious code, stealing data, or escalating system privileges — all without raising any alerts.
Here’s how the attack unfolds:
1. The user logs into ChatGPT.LayerX has withheld specific technical details to prevent misuse, but the researchers noted that ChatGPT Atlas’ weaker phishing protections make the issue even worse. In their analysis, Atlas users were up to 90% more vulnerable than users on traditional browsers like Chrome or Edge.
In a controlled test against over a hundred real-world phishing and exploit attempts, Microsoft Edge blocked 53% of attacks, Google Chrome caught 47%, and Dia stopped 46%. In sharp contrast, Perplexit’s Comet and ChatGPT Atlas managed to stop only 7% and 5.8% respectively.
That gap opens the door to all kinds of nightmare scenarios — for instance, a developer asking ChatGPT to help write code might unknowingly trigger hidden instructions that slip malicious logic into their work.
This finding comes on the heels of another attack demonstrated by NeuralTrust, where ChatGPT Atlas’ omnibox could be “jailbroken” using a disguised URL — a malicious prompt hiding in plain sight. Experts warn that as AI tools become deeply integrated into daily workflows, they’re also becoming prime targets for data theft.
“AI browsers are merging identity, intelligence, and automation into one big attack surface,” said Eshed. “Vulnerabilities like this one — which we call ‘Tainted Memories’ — don’t just infect a single system. They move with the user, contaminating future work and blurring the line between helpful AI and hidden control.”
He added that as browsers evolve into full AI-powered work platforms, organizations must start treating them as critical infrastructure. “This is where the next wave of AI productivity — and AI threats — will unfold.”
