OpenAI Atlas Browser Vulnerability Allows Malicious Code Injection into ChatGPT

A critical vulnerability has been discovered in OpenAI’s new ChatGPT Atlas browser, enabling attackers to inject malicious code into ChatGPT’s memory and potentially execute remote code on user systems. This flaw, identified by LayerX, leverages Cross-Site Request Forgery (CSRF) to hijack authenticated sessions, opening the door for malware infections and unauthorized access.

The attack exploits the fact that users logged into ChatGPT typically store authentication cookies or tokens in their browser. Attackers can then lure victims to a malicious webpage, often through phishing links. This page triggers a CSRF request, exploiting the existing authenticated session to inject hidden instructions into ChatGPT’s Memory feature, which retains user preferences and context, avoiding the need for repetitive instructions. Unlike standard CSRF attacks, this method targets the AI system’s persistent subconscious, tainting the LLM’s memory with malicious directives.

Once malicious instructions are embedded, they can be activated during legitimate user queries. This can compel ChatGPT to generate harmful outputs, such as fetching remote code from attacker-controlled servers. The infection persists across devices and browsers tied to the account, making detection and remediation more complex. Atlas users face higher risk, as the browser’s always-on authentication streamlines CSRF exploitation.

LayerX’s testing showed Atlas only blocks 5.8% of phishing attempts, significantly lower than Chrome’s 47-53% success rate. This makes Atlas users up to 90% more vulnerable. Attackers can use injected memory instructions to subtly alter outputs in collaborative coding environments, embedding backdoors or exfiltration code in generated scripts. A proof-of-concept involved injecting instructions to pull malware from a server disguised as “server.rapture,” highlighting the potential for AI flexibility to be exploited for malicious purposes.

Given these findings, experts recommend immediate mitigation steps, including enhanced token validation and the use of third-party extensions for increased visibility. Users should also enable multi-factor authentication and closely monitor their sessions. The vulnerability highlights the need for robust safeguards beyond basic browser technology as AI browsers become more prevalent. Without swift updates, Atlas poses a serious risk of redefining AI security challenges.

For more details, read the full article here.