Prompt Injection and Persistent Memory Exploits in AI-Powered Browsers
Researchers have identified critical security vulnerabilities in several AI-powered browsers, including OpenAI's Atlas and other emerging platforms such as Comet and Fellou. These browsers, which allow AI agents to perform actions on behalf of users, are susceptible to prompt injection attacks—where hidden or malicious instructions embedded in web content are executed by the AI. In documented cases, attackers were able to hide commands in web pages or images, leading the browser to perform unauthorized actions such as extracting email subject lines and exfiltrating data to attacker-controlled sites, all without user confirmation.
A particularly severe exploit targets the persistent memory feature of the ChatGPT Atlas browser, introduced by OpenAI to personalize user experiences. By chaining a cross-site request forgery (CSRF) vulnerability with a memory write, attackers can inject malicious instructions that persist across sessions, devices, and even different browsers. This allows for ongoing compromise, including privilege escalation, malware deployment, and account takeover, unless users manually clear the tainted memory. The persistence and stealth of these attacks significantly elevate the risk profile for users of AI-enabled browsers, highlighting the urgent need for robust security controls and user awareness around prompt injection threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers report prompt injection risks across AI browsers
By late October 2025, security research highlighted that AI browsers including OpenAI Atlas, Comet, and Fellou are vulnerable to direct and indirect prompt injection attacks. The findings showed hidden instructions in web pages or URLs could trigger unauthorized actions such as data exfiltration or changing user settings.
NeuralTrust demonstrates related prompt injection attack on ChatGPT Atlas
NeuralTrust demonstrated a separate but related prompt injection attack affecting ChatGPT Atlas, underscoring broader security weaknesses in AI-powered browsers. The research showed that malicious instructions embedded in content can manipulate browser agents into unsafe actions.
LayerX identifies CSRF-based memory injection flaw in ChatGPT Atlas
Researchers at LayerX Security discovered a critical vulnerability in OpenAI's ChatGPT Atlas browser that lets attackers use cross-site request forgery to inject malicious instructions into the assistant's persistent memory. The attack can be triggered by luring a logged-in user to a malicious link and may enable arbitrary code execution, privilege escalation, malware deployment, and cross-device persistence.
OpenAI introduces ChatGPT memory feature
OpenAI introduced ChatGPT's persistent memory feature, designed to personalize user experiences across sessions. Later research identified this feature as a key component that could be abused for persistent compromise.
Researchers disclose environment-injected memory poisoning attack on web agents
Researchers introduced Environment-injected Trajectory-based Agent Memory Poisoning (eTAMP), a technique that poisons an LLM web agent's persistent memory through manipulated environmental observations rather than direct memory access. The study showed a single poisoned observation could persist across sessions and sites, with measurable success rates against multiple models and increased effectiveness under 'Frustration Exploitation' conditions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
AI browsers face a security flaw as inevitable as death and taxes
go.theregister.com
Open sourceNew ChatGPT Atlas Browser Exploit Lets Attackers Plant Persistent Hidden Commands
thehackernews.com
Open sourcePoison Once, Exploit Forever: Environment-Injected Memory Poisoning Attacks on Web Agents - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Prompt Injection and Data Leakage Vulnerabilities in OpenAI's ChatGPT and Atlas Browser
Tenable Research has identified seven novel vulnerabilities and attack techniques in OpenAI's ChatGPT, including indirect prompt injections, exfiltration of user data, and bypasses of safety mechanisms in the latest GPT-5 model. These vulnerabilities allow attackers to manipulate the large language model (LLM) through crafted inputs, potentially leading to the theft of private information from user memories and chat histories, even when users simply interact with ChatGPT. The research highlights that hundreds of millions of users could be at risk, as attackers can exploit these weaknesses to bypass safeguards and extract sensitive data without user awareness. The release of OpenAI's ChatGPT Atlas, an AI-powered browser that remembers user activities and acts autonomously, further amplifies these concerns. Security experts warn that features such as persistent memory and autonomous actions increase the attack surface, making the browser susceptible to prompt injection and other AI-specific vulnerabilities. The implications for enterprise security and privacy are significant, as these AI-driven tools become more integrated into business processes, necessitating new approaches to identity management, access controls, and oversight to mitigate the risks posed by advanced AI-enabled attacks.
Mar 21, 2026
Prompt Injection and Browser-Based AI Security Risks
The launch of ChatGPT Atlas, an AI-powered web browser with agentic capabilities, has raised significant concerns about prompt injection attacks. As browsers become more integrated with large language models (LLMs), attackers can exploit both direct and indirect prompt injection techniques to manipulate AI agents, potentially causing them to divulge sensitive information or perform unintended actions. The accessibility of such agentic browsers, combined with their ability to automate complex tasks, amplifies the risk landscape for organizations adopting these technologies. Security experts warn that the browser now represents a critical control point for AI security, as it serves as the main interface between users and generative AI systems. The rapid increase in GenAI browser traffic has led to a surge in data security incidents, including inadvertent exposure of confidential information through LLM prompts. Traditional network security measures are often insufficient to address these browser-borne threats, making it imperative for organizations to reassess their security strategies and implement controls specifically designed to mitigate risks associated with AI-powered browsers and prompt injection attacks.
Mar 21, 2026
Indirect Prompt Injection Flaws Expose AI Browsers and Assistants to Data Theft
Researchers and security outlets reported multiple indirect prompt injection weaknesses affecting AI-driven browsing and assistant features, showing how hidden instructions embedded in untrusted web content can manipulate model behavior and steer users into credential theft or data exposure. Cato Networks disclosed **WebPromptTrap** in BrowserOS, where malicious webpage content abused Agent Chat Mode summarization to insert a convincing call to action and attacker-selected link; in the proof of concept, victims could be pushed into a GitHub authorization flow that exposed access tokens and repository access. Cato said the issue affected BrowserOS `0.30.0` and earlier, was identified in `0.29.0`, and was fixed in `0.32.0` after responsible disclosure. Separate reporting described similar risks in OpenAI's **ChatGPT Atlas** browser and in Microsoft **Copilot**, underscoring that the problem extends beyond a single product. LayerX said Atlas could be fed malicious instructions through web content in a "tainted memories" attack, while Axios, TechSpot, and commentary from OpenAI CISO Dane Stuckey highlighted broader security and privacy concerns around prompt injection in AI browsers. Varonis also detailed **Reprompt**, a single-click Copilot attack that could silently exfiltrate personal data. Together, the disclosures show that AI systems that summarize pages, retain context, or act on behalf of users can be turned into phishing and data-theft intermediaries unless untrusted content is strictly isolated from model instructions.
Jun 9, 2026