Research reveals a security flaw that can turn OpenAI’s newly launched ChatGPT Atlas browser into an attack vector against its own users.
The weakness sits in how AI browsers digest web content, according to LayerX research.
LayerX’s blog post shows that this is not just another software bug. It is a critical breach that lets malicious actors slip hidden commands into ChatGPT’s memory system, then ride along to compromise devices and steal sensitive data across platforms. Worse timing is hard to imagine, since OpenAI rolled Atlas out to an audience of 800 million weekly users last week.
The attack method
How does it work? A sophisticated Cross-Site Request Forgery, a CSRF attack, turns ChatGPT’s own Memory feature against the user. Attackers lure victims to booby-trapped pages through phishing, then fire off forged requests that leverage existing authenticated sessions.
Those hidden directives get tucked into ChatGPT’s memory like stowaways, then wake up during normal, innocent-looking queries. The AI can be pushed to fetch remote code from attacker-controlled servers or to produce other harmful outputs. Security analysts discovered that the contamination follows the user, persisting across devices and browsers tied to the same account, which makes cleanup a headache.
What makes it sting, Atlas’s default habit of keeping ChatGPT credentials handy. That convenience gives CSRF a smooth runway. Combine that with the browser’s agentic features, which can run tasks on their own, and the risk climbs fast, amplified by the AI’s decision-making power over user data and systems.
Atlas under pressure
Side by side with established browsers, the gap is glaring. In tests with 103 real-world phishing attacks, Atlas blocked only 5.8%. Chrome and Edge landed in the 47 to 53 percent range.
A broader investigation by Brave surfaced indirect prompt injection tricks that plant commands in webpages or even screenshots. The result can be quiet data exfiltration or actions taken with zero user awareness.
At the core is a blurry line. AI browsers mix trusted user instructions with untrusted web content. Security professionals warn that attackers can hide instructions in white text on a white background, or in machine-readable snippets that people will miss but the AI still processes.
Responses needed
OpenAI Chief Information Security Officer Dane Stuckey has acknowledged that prompt injection remains a frontier, unsolved security problem, even with red-teaming and rapid response systems in place.
For immediate protection, industry specialists strongly recommend updating or uninstalling the Atlas browser until official patches arrive. Organizations should revoke existing authentication tokens and use endpoint protection to watch for unauthorized access to credential stores.
Security professionals also advise training users on safe AI tool habits and how to spot untrusted client apps, since this vulnerability shows how AI platforms can become fresh pathways for cyber exploitation across multiple industries.
A wrongful-death lawsuit against OpenAI claims the company had quietly loosened ChatGPT’s guardrails around self-harm conversations.
This article was reviewed by Antony Peyton.