Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browser
Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
With OpenAI’s Atlas browser just over a week old, cyber experts have already identified several vulnerabilities and potential security risks for users.
Researchers have discovered a vulnerability in the AI browser that allows attackers to inject malicious instructions directly into ChatGPT's memory and execute remote code.
According to researchers at LayerX, the flaw can affect ChatGPT users on any browser, but is particularly dangerous for users of OpenAI’s new agentic browser, ChatGPT Atlas.
"LayerX has found that Atlas currently does not include any meaningful anti-phishing protections, meaning that users of this browser are up to 90% more vulnerable to phishing attacks than users of traditional browsers like Chrome or Edge," researchers said.
Users are also logged in to ChatGPT by default, while LayerX also said testing indicates the Atlas browser is up to 90% more exposed than Chrome and Edge to phishing attacks.
In this exploit, attackers can use a Cross-Site Request Forgery (CSRF) request to 'piggyback' on the victim’s ChatGPT access credentials, and inject malicious instructions into ChatGPT’s memory.
When the user then attempts to use ChatGPT for legitimate purposes, the ‘tainted memories’ will be invoked. They can execute remote code that allows the attacker to gain control of the user account, their browser, code they are writing, or systems they have access to.
Notably, researchers warned the exploit can persist across devices and sessions, enabling remote code execution and potential takeover of a user account, browser, or connected systems without them realizing anything is wrong.
More security issues for Atlas
The findings from LayerX mark the latest in a string of warnings over the potential security risks associated with the new browser.
Researchers at NeuralTrust, for example, demonstrated a prompt injection attack that's also affecting Atlas, whereby its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to visit.
In this instance, an attacker crafts a string that appears to be a URL but is malformed, and won't be treated as a navigable URL by the browser. The string embeds explicit natural language instructions to the agent.
When the user pastes or clicks this string so it lands in the Atlas omnibox, the input fails URL validation, and Atlas treats the entire content as a prompt. The embedded instructions are now interpreted as trusted user intent with fewer safety checks.
The attackers can then execute the injected instructions with elevated trust.
Jamie Akhtar, CEO and co-founder at CyberSmart, said the recent findings are a prime example of the “security pitfalls of LLMs and AI browsers”.
“Although these technologies have ushered in a future of possibilities for cybersecurity, they’ve also been partly responsible for the democratization of cyber crime," he said.
"Threats like prompt injections aren’t particularly difficult for any cyber criminal with rudimentary knowledge to use (once they’ve been created), despite their sophistication,” Akhtar added.
“What makes them so dangerous is the ability to manipulate the AI's underlying decision-making processes and effectively turn the agent against the user."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Everything you need to know about ChatGPT’s new Advanced Account Security featuresNews OpenAI has introduced new tools to tightening up access to ChatGPT, Codex, and its other AI tools
-
OpenAI is cracking down on AI misuse with a new bug bounty programNews Submissions don't have to be security vulnerabilities, OpenAI says, just the potential to cause material harm
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
