Cybersecurity researchers have found a brand new vulnerability in OpenAI’s ChatGPT Atlas internet browser that would permit malicious actors to inject nefarious directions into the unreal intelligence (AI)-powered assistant’s reminiscence and run arbitrary code.
“This exploit can permit attackers to contaminate programs with malicious code, grant themselves entry privileges, or deploy malware,” LayerX Safety Co-Founder and CEO, Or Eshed, mentioned in a report shared with The Hacker Information.
The assault, at its core, leverages a cross-site request forgery (CSRF) flaw that could possibly be exploited to inject malicious directions into ChatGPT’s persistent reminiscence. The corrupted reminiscence can then persist throughout gadgets and periods, allowing an attacker to conduct varied actions, together with seizing management of a consumer’s account, browser, or related programs, when a logged-in consumer makes an attempt to make use of ChatGPT for official functions.
Reminiscence, first launched by OpenAI in February 2024, is designed to permit the AI chatbot to recollect helpful particulars between chats, thereby permitting its responses to be extra customized and related. This could possibly be something starting from a consumer’s identify and favourite colour to their pursuits and dietary preferences.
The assault poses a big security danger in that by tainting reminiscences, it permits the malicious directions to persist until customers explicitly navigate to the settings and delete them. In doing so, it turns a useful characteristic right into a potent weapon that can be utilized to run attacker-supplied code.
“What makes this exploit uniquely harmful is that it targets the AI’s persistent reminiscence, not simply the browser session,” Michelle Levy, head of security analysis at LayerX Safety, mentioned. “By chaining a typical CSRF to a reminiscence write, an attacker can invisibly plant directions that survive throughout gadgets, periods, and even totally different browsers.”
“In our exams, as soon as ChatGPT’s reminiscence was tainted, subsequent ‘regular’ prompts may set off code fetches, privilege escalations, or information exfiltration with out tripping significant safeguards.”
The assault performs out as follows –
- Consumer logs in to ChatGPT
- The consumer is tricked into launching a malicious hyperlink by social engineering
- The malicious internet web page triggers a CSRF request, leveraging the truth that the consumer is already authenticated, to inject hidden directions into ChatGPT’s reminiscence with out their information
- When the consumer queries ChatGPT for a official function, the contaminated reminiscences shall be invoked, resulting in code execution
Further technical particulars to tug off the assault have been withheld. LayerX mentioned the issue is exacerbated by ChatGPT Atlas’ lack of strong anti-phishing controls, the browser security firm mentioned, including it leaves customers as much as 90% extra uncovered than conventional browsers like Google Chrome or Microsoft Edge.
In exams towards over 100 in-the-wild internet vulnerabilities and phishing assaults, Edge managed to cease 53% of them, adopted by Google Chrome at 47% and Dia at 46%. In distinction, Perplexit’s Comet and ChatGPT Atlas stopped solely 7% and 5.8% of malicious internet pages.
This opens the door to a large spectrum of assault situations, together with one the place a developer’s request to ChatGPT to put in writing code may cause the AI agent to slide in hidden directions as a part of the vibe coding effort.
The event comes as NeuralTrust demonstrated a immediate injection assault affecting ChatGPT Atlas, the place its omnibox may be jailbroken by disguising a malicious immediate as a seemingly innocent URL to go to. It additionally follows a report that AI brokers have grow to be the commonest information exfiltration vector in enterprise environments.
“AI browsers are integrating app, identification, and intelligence right into a single AI risk floor,” Eshed mentioned. “Vulnerabilities like ‘Tainted Reminiscences’ are the brand new provide chain: they journey with the consumer, contaminate future work, and blur the road between useful AI automation and covert management.”
“Because the browser turns into the frequent interface for AI, and as new agentic browsers convey AI immediately into the searching expertise, enterprises must deal with browsers as crucial infrastructure, as a result of that’s the subsequent frontier of AI productiveness and work.”
