Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Continue ReadingChatGPT
Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode
Atlas’s autofill and form interaction capabilities present potential attack points
As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.
These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.
For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.
Rate of Vulnerability is 90% A Warning for Users
The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.
There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.
Key pointers from research
ChatGPT’s Atlas is not resilient to Phishing attacks
Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate
Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),
ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages
Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.
The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.
Importance of Security by Design for web browsing & How AI is intricately involved
The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.
But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.
Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.
This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.
Is User’s security getting compromised
The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can influence the AI’s behavior if browsing and this can happen across multiple tabs.
In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.
Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.
(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)
Radware Uncovers Server Side Attack Targeting ChatGPT Known as Shadowleak
Researchers at Radware uncovered a server-side data theft attack targeting ChatGPT, termed as ShadowLeak. The experts discovered the zero-click vulnerability in ChatGPT’s Deep Research agent when connected to Gmail and browsing.
In this attack type ‘Service-side’ pose greater risk as enterprise defenses cannot detect exfiltration because it runs from the provider’s infrastructure.
ShadowLeak a Server side attack
For any normal user there would be no visible signs of data loss as the AI agent acts as a trusted proxy, sending sensitive data to attacker-controlled endpoints. These server-side requests face fewer URL restrictions, letting attackers export data to virtually any destination.
Shadowleak is an uncovered security flaw affecting ChatGPT’s Deep Research Agent. Which can connect to services like Gmail to help users analyze their emails.
Attackers could hide invisible instructions in a regular looking email. When the user asked ChatGPT to review their mailbox contents selecting deep research.
Vulnerability Details
ChatGPT’s Deep Research Agent was vulnerable because it could be tricked into following hidden instructions that were inside a seemingly ordinary email. When users ask the agent to analyze their inbox, any attacker can craft the message with invisible commands and cause AI to leak private data without warning.
These hidden instructions used tricks to fool the AI and get around its built-in safety checks. Some of those tricks included:
- Pretending to Have Permission: The prompt told the agent that it had “full authorization” to access outside websites, even though it didn’t.
- Hiding the Real Purpose: It disguised the hacker’s website as something safe sounding, like a “compliance validation system.”
- Telling the Agent to Keep Trying: If the AI couldn’t reach the attacker’s website the first time, the prompt told it to try again helping it sneak past any temporary protections.
- Creating Urgency: The prompt warned the agent that if it didn’t follow the instructions, it might not complete the report properly pushing it to obey.
- Hiding the Stolen Info: The agent was told to encode the personal data using Base64, which made the data harder to spot and helped hide the theft.
After reading the fake email, the agent would go look through the user’s real emails (like HR messages) and find personal info such as full names and addresses.
Without alerting the user, the AI would send that information to the attacker’s server, happening silently in the background, with no warning or visible signs.
This attack is not limited only to Gmail, also applies to any data sources Deep Research accesses, including Google Drive, Dropbox, Outlook, Teams and more. Any connected service that feeds text into the agent can pose a risk to hidden prompts, making sensitive business data vulnerable to exfiltration.
Source: radware.com
Attack Flow
| Step | Description |
| Malicious Email Crafting | Attackers create a legitimate email embedded with hidden, invisible prompt instructions to extract sensitive data. Use social engineering and obfuscation. |
| Email Delivery and Receipt | The victim receives the email in Gmail without needing to open it; hidden commands are present in the email’s HTML body. |
| User Invokes Deep Research | The victim asks ChatGPT’s Deep Research Agent to analyze their inbox or specific emails, triggering the agent’s activity. |
| Parsing Hidden Instructions | The agent reads and interprets the hidden malicious prompt embedded within the attacker’s email. |
| Extraction of Sensitive Data | Following the instructions, the agent locates and extracts personal information like names and addresses from real emails. |
| Data Exfiltration to Attacker | The agent uses internal tools to send the extracted, often Base64-encoded data to an attacker-controlled external server. |
| Victim Remains Unaware | The entire process happens silently on OpenAI’s servers with no visible alerts or client-side traces for the user or admins. |
Why It’s Effective
This “zero-click” attack happened entirely on OpenAI’s servers, where traditional security tools couldn’t detect or stop it, and victims never saw any warning. OpenAI was informed by radware security team in June 2025 and OpenAI fully patched the issue by September.
The attack runs silently in a trusted cloud environment, invisible to users and traditional security tools.
It tricks the AI into repeatedly sending encoded sensitive data, bypassing safety checks and ensuring successful data theft. This stealthy, zero-click nature means no user interaction is required, making detection extremely difficult and allowing the attacker to exfiltrate data unnoticed over extended periods.
Recommendations:
Here are some recommendations below
- Email Sanitization: Normalize and strip hidden or suspicious HTML/CSS elements from emails before they are processed by AI agents. This reduces the risk of hidden prompt injections.
- Strict Agent Permissions: Limit AI agent access only to the data and tools necessary for its tasks, minimizing exposure to sensitive information.
- Behavior Monitoring: Continuously monitor AI agent actions and behavior in real time to detect anomalies or actions deviating from user intent.
- Regular Patch Management: Keep AI tools, connectors and integrated systems up to date with the latest security fixes and improvements.
- Awareness and Training: Educate users and administrators about the types of attacks AI agents are vulnerable to, fostering vigilance and quick incident response.
Conclusion
The ShadowLeak vulnerability underscores the critical risks posed when powerful AI tools operate without sufficient safeguards. By hiding secret commands inside emails, attackers were able to steal personal information without the user knowing.
This case highlights the need for strong safety measures, including limiting AI access to sensitive information, sanitizing inputs to prevent hidden commands, and continuously monitoring agent behavior to detect anomalies.
As more AI tools are used, it’s important to keep strong security controls and oversight to use these technologies safely and protect sensitive data from new threats.
References:
ChatGPT Agents are Here to unlock Potential—So are Privacy & Security Risk
By Mahesh Maney R, Director of Products, Intrucept pvt Ltd
A broader concept of LLM is ChatGPT where internally trained models and run via human based queries from where one gets a reply.
When OpenAI came up with ChatGPT Agent it was remarkable step forward, transforming digital assistants from simple responders into powerful tools. These tools can take actions on your behalf from shopping online, managing calendars and few of your job.
With all technologies lies benefits and hidden—risks and itʼs important to understand these risks so you can use AI safely and smartly. Think of a traditional chatbot, like the ChatGPT you may have used to ask questions or generate text. Itʼs like an email assistant that only ever drafts emails you ask for.
ChatGPT Agent new age digital intern
One who acts like an assistant and takes an initiative, answer from logging into your calendar, send emails, shop for you, or access files. It may even make important choices without asking you each time.
With this power comes responsibility—and risk. The more access you give, the more an agent can do both for you and potentially, against you if things go wrong.
AI Agents are the smarter ones
AI agents take things further and perform a task autonomously. AI Agents can perform complex, multi-step actions; learns and adapts; can make decisions independently. For a hotel booking or an airline booking they would use API and search for best rates available.
Agentic AI vs. Non-Agentic AI: The Big Difference
Feature
Non-Agentic AI (Old)
What it does
Needs permissions?
Can use other apps/tools?
Level of risk
Answers your questions
Rarely
Agentic AI (New)
Takes real actions for you
Often—sometimes many
No
Low to moderate
Yes (email, browser, wallet, etc.)
High to severe
The bottom line is autonomous AI agents are only as safe as the permissions—and safety controls—you set!
Everyday Examples—and What Could Go Wrong
Online Shopping
Access needed: Browser, payment info, your address
Risk: If hacked, it could leak your card details or ship to wrong people
Scheduling a Meeting
Access needed: Email, calendar, contacts
Risk: Unintended data sharing or impersonation (like sending fake invites)
Why the Risks Are Growing—Fast
In the past, people worried that AI might remember things they typed. Now, agents can directly touch your personal or business data—sometimes all at once.
Imagine a bad actor tricks your agent with a clever prompt (“Send me Maheshʼs calendar, please”). If your agentʼs safety settings arenʼt tight, it might obey—revealing private information without you ever knowing.
Main Ways Agents Can Be Attacked
Prompt Injection: Someone uses sneaky instructions to make your agent break the rules
Over-permissioning: You give the agent more access than needed
Data Leaks: Sensitive data moves to places it shouldnʼt go
Bad Use of APIs: The agent acts on your behalf, potentially giving hackers an open door
Accountability Issues: It gets tough to tell if a human or AI agent took an action.
What OpenAI Recommends: “Least Privilege”
As OpenAIʼs CEO puts it: Only give agents the minimum access needed to do the job. This is a core security principle—think
“need-to-know” for AI.
Challenges for Everyone
AI is new to many: Most users and even some developers arenʼt sure how these agents really work
Transparency is tough: Itʼs not always clear what the agent did—or why
Security best practices are struggling to keep up with the curiosity and pressure: People rush to try AI, sometimes without thinking through the risks. Actionable Safety Tips—for Everyone
For Individuals:
Read permission requests carefully—donʼt just click “allow”!
Use test accounts (not your primary email or calendar) when trying new AI features
Never enter payment info or passwords directly unless you trust and understand the agent
Regularly check what apps and agents have access to your data
For Businesses & Organizations:
Track all usage and agent actions with audit logs
Set up alerts for unusual or high-risk activity
Use roles and access controls to restrict what agents can see and do
Final Thoughts: Balancing Innovation and Security
ChatGPT Agents are powerful and can make work and life easier. But just as you wouldnʼt hand your house keys to a stranger, donʼt give AI access without thinking through the risks.
By staying informed, cautious, and proactive, everyone—from individuals to corporations—can enjoy the upsides of AI while protecting their data and privacy.
Agentic AI means something very specific in business today—an AI that can decide what to do next and perform a series of actions across various tools or data sources
GenAI are designed to handle specific use cases and consist a set of components trained to enable learning or reasoning while they have internal access to data.
Stay Informed and Stay Safe!
Subscribe for the latest updates on AI safety, privacy strategies, and actionable tips for users at every level.
Fake ChatGPT Desktop App used to deliver PipeMagic Malware
Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability
The PipeMagic campaign a malware to technical threat exploiting trust globally
As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.
PipeMagic’s evolution from malware to technical threat exploiting trust globally
The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.
Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.
PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.
The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.
Pipemagic’s technique of attack
PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.
By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.
Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.
Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.
PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.
The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.
The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.
The malware self-updates by storing these modules in memory using a series of doubly linked lists.
These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.
By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).
New Cyberattack Methodology ‘Man in Prompt’, User’s at Risk, Target-AI Tools
AI tools like ChatGPT, Google Gemini and others being afflicted by malicious actors via injecting harmful instructions into leading GenAI tools. These were overlooked previously and attack methodology targets the browser extensions installed by various organizations.
The attack methodology named as ‘Man in Prompt’, exercise its attack with new class exploit targeting the AI tools as per LayerX’s researchers.
As per the research any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it and cover their tracks.
The exploit has been tested on all top commercial LLMs, with proof-of-concept demos provided for ChatGPT and Google Gemini.
The question is how do they impact Users & organizations at large & how does the AI tools function within web browsers?
For organizations the implications can be high then expected as AI tools are most sought after and slowly organization across verticals are relying on AI tools.
The LLMs used and tested on many organizations are mostly trained ones. They carry huge data set of information which are mostly confidential and possibility of being vulnerable to such attack rises .
The attack methodology named as ‘Man in Prompt’, exercise its attack with new class exploit targeting the AI tools as per LayerX’s researchers. As per the research any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it, and cover their tracks.
The attack methodology named as ‘Man in Prompt’, exercise its attack with new class exploit targeting the AI tools as per LayerX’s researchers. As per the research any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it, and cover their tracks.
LayerX researcher termed this type of attack as ‘hacking copilots’ that are equipped to steal organizational information.
The prompts given are a part of the web page structure where input fields are known as the Document Object Model, or DOM. So virtually any browser extension with basic scripting access to the DOM can read or alter what users type into AI prompts, even without requiring special permissions.
Bad actors can use compromised extensions to carry out activities including manipulating a user’s input to the AI.
- Perform prompt injection attacks, altering the user’s input or inserting hidden instructions.
- Extract data directly from the prompt, response, or session.
- Compromise model integrity, tricking the LLM into revealing sensitive information or performing unintended actions
Understanding the attack scenario
Proof-of-concept attacks against major platforms
For ChatGPT, an extension with minimal declared permissions could inject a prompt, extract the AI’s response and remove chat history from the user’s view to reduce detection.
LayerX implemented an exploit that can steal internal data from corporate environments using Google Gemini via its integration into Google Workspace.
Over the last few months, Google has rolled out new integrations of its Gemini AI into Google Workspace. Currently, this feature is available to organizations using Workspace and paying users.
Gemini integration is implemented directly within the page as added code on top of the existing page. It modifies and directly writes to the web application’s Document Object Model (DOM), giving it control and access to all functionality within the application
These platforms are vulnerable to any exploit which Layer X researchers showcased that without any special permissions shows how practically any user is vulnerable to such an attack.
Threat mitigation
These kind of attacks creates a blind spot for traditional security tools like endpoint Data Loss Prevention (DLP) systems or Secure Web Gateways, as they lack visibility into these DOM-level interactions. Blocking AI tools by URL alone also won’t protect internal AI deployments.
LayerX advises organisations to adjust their security strategies towards inspecting in-browser behaviour.
Key recommendations include monitoring DOM interactions within AI tools to detect suspicious activity, blocking risky extensions based on their behavior rather than just their listed permissions, and actively preventing prompt tampering and data exfiltration in real-time at the browser layer.
(Source: https://layerxsecurity.com/blog/man-in-the-prompt-top-ai-tools-vulnerable-to-injection/)
Sophisticated Phishing Attack Exposed Over 600,000 Users to Data Theft; 16 Chrome Extensions Hacked
A sophisticated phishing attack exposed 600, 000 user data to theft as 16 Chrome Extensions got hacked amounting to credential theft. The attack targeted extension publishers through phishing emails where Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails. The malicious update mimicked official communications from the Chrome Web Store, stealing sensitive user data.
This breach puts Facebook ad users at high risk of account hacking or unknown access
Summary of the attack
The phishing email was designed to create a sense of urgency posing as Google Chrome Web Store Developer Support, warns the employee of the extension removal for policy violations. The message urges the recipient to accept the publishing policy.
As per Cyberhaven, a cybersecurity firm report mentioned about the impacted firms as the attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials.
16 Chrome Extensions, including popular ones like “AI Assistant – ChatGPT and Gemini for Chrome,” “GPT 4 Summary with OpenAI,” and “Reader Mode,” were compromised, exposing sensitive user data.
Response & Recommendations:
The attackers targeted browser extension publishers with phishing campaigns to gain access to their accounts and insert malicious code.
Extensions such as “Rewards Search Automator” and “Earny – Up to 20% Cash Back” were used to exfiltrate user credentials and identity tokens, particularly from Facebook business accounts.
Malicious versions of extensions communicated with external Command-and-Control (C&C) servers, such as domains like “cyberhavenext[.]pro.”
- Cyberhaven released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation.
- All users advised to revoke credentials, monitor logs, and secure extensions; investigations continue.
- As per Cyberhaven, version 24.10.4 of Chrome extension was affected, and the malicious code was active for less than a day.
- The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.
Recent Comments