Two critical vulnerabilities were discovered in OpenAI’s ChatGPT Atlas browser a week after its release in October 2025. Security researchers revealed that attackers can hijack the artificial intelligence (AI) assistant and plant persistent malicious instructions.
The flaws allow cybercriminals to manipulate Atlas through fake URLs and memory infections.
NeuralTrust discovered the first vulnerability on October 24. Its researchers found that Atlas treats malformed web addresses as trusted user commands instead of blocking them.
NeuralTrust demonstrated that typing what appears to be a URL into Atlas’ address bar can actually execute hidden instructions. A string starting with “https” followed by embedded commands tricks the browser into treating the malicious code as input from a trusted user.
“Because omnibox prompts are treated as input from trusted users, they may receive fewer checks than content coming from web pages,” said Martí Jordà, security researcher at NeuralTrust. “The agent can initiate actions unrelated to the supposed target, including visiting sites chosen by the attacker or executing tool commands.”
The most recent vulnerability, called “Tainted Memories”, exploits ChatGPT’s memory feature by forging cross-site requests. LayerX researchers demonstrated how clicking on a malicious link injects instructions that persist indefinitely.
“Once an account’s memory has been infected, this infection persists on all devices on which the account is used,” explained Or Eshed, CEO of LayerX. “This makes the attack extremely ‘sticky’ and is especially dangerous for users who use the same account for both work and personal purposes.”
The flaws affect ChatGPT users on any browser, but Atlas users face a higher risk because they log in to ChatGPT by default.
On top of that, LayerX tested the browser against 103 real-world phishing attacks and found that Atlas blocked only six of them. Chrome and Edge stopped about half of the same threats, making Atlas users almost 90% more vulnerable.
Both companies disclosed their findings to OpenAI in accordance with their responsible disclosure procedures. The company has not publicly addressed the specific vulnerabilities.
OpenAI Chief Information Security Officer Dane Stuckey previously acknowledged that rapid injection is an ongoing challenge in a post on social media. He called it “an unresolved border security issue.”
The company says it has implemented security measures, including training models to ignore malicious instructions and user controls to restrict access to the site. However, the newly discovered vulnerabilities apparently bypass these protections.
Similar AI browsers like Perplexity, Comet, and Opera Neon have shown similar security weaknesses in recent weeks. The researchers warn that these problems arise from fundamental design flaws in the way agent browsers handle the distinction between user input and untrusted web content.
The findings raise questions about whether AI-powered browsers are ready for widespread use, particularly in work environments where a single compromised account could expose sensitive company data.
#security #weaknesses #OpenAIs #ChatGPT #Atlas #week #launch
