Security researchers from LayerX discovered a vulnerability in OpenAI’s newly released ChatGPT Atlas browser. The issue allows attackers to inject malicious instructions into the AI assistant’s memory and execute arbitrary code.
At the core of the attack is a CSRF vulnerability that can be used to inject malicious instructions into ChatGPT’s persistent memory. The compromised memory will be accessible across all devices and sessions, enabling the attacker to carry out various actions (including account takeover, browser takeover, and so on) when the authenticated user tries to use ChatGPT for normal purposes.
OpenAI introduced this persistent memory feature in February 2024 so that the chatbot can retain information about a user’s preferences across conversations, which is intended to make ChatGPT’s responses more personalized and relevant.
“By chaining CSRF with a memory write, an attacker can stealthily inject instructions that persist across all devices, sessions, and even different browsers,” the experts say. “In our tests, after poisoning ChatGPT’s memory, ordinary queries led to code being loaded, privileges being escalated, and data being stolen without triggering any defense mechanisms.”
The attack works as follows:
- the user logs in to ChatGPT;
- the victim is tricked into visiting a malicious link, for example via social engineering;
- the malicious web page uses a CSRF request, exploiting the fact that the user is already logged in, and silently injects hidden instructions into ChatGPT’s memory;
- when the user makes a legitimate request to ChatGPT, the compromised memory is activated, which can lead, for example, to code execution.
In other words, if ChatGPT interprets malicious instructions as part of its memory or to-do list, it performs actions the user didn’t request: creates accounts, executes commands, accesses files, and so on. The malicious instructions remain active until the user goes into the settings and deletes them manually.
LayerX has already notified OpenAI representatives about the vulnerability, but there is no patch yet, and the researchers are not disclosing technical details to prevent potential exploitation of the issue.
Experts recommend that ChatGPT Atlas users limit use of the browser, avoid working with email, finances, and other private data, avoid clicking unfamiliar links, and regularly check what actions the AI agent is taking.
It’s worth noting that the ChatGPT Atlas browser is currently available only for macOS. Versions for Windows and Android are expected to arrive in the near future, but OpenAI has not yet provided specific dates.