Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge.
The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has

Artificial Intelligence / Vulnerability

Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge.

The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has since addressed some of them.

These issues expose the AI system to indirect prompt injection attacks, allowing an attacker to manipulate the expected behavior of a large language model (LLM) and trick it into performing unintended or malicious actions, security researchers Moshe Bernstein and Liv Matan said in a report shared with The Hacker News.

The identified shortcomings are listed below -

*   Indirect prompt injection vulnerability via trusted sites in Browsing Context, which involves asking ChatGPT to summarize the contents of web pages with malicious instructions added in the comment section, causing the LLM to execute them
*   Zero-click indirect prompt injection vulnerability in Search Context, which involves tricking the LLM into executing malicious instructions simply by asking about a website in the form of a natural language query, owing to the fact that the site may have been indexed by search engines like Bing and OpenAI's crawler associated with SearchGPT.
*   Prompt injection vulnerability via one-click, which involves crafting a link in the format "chatgpt\[.\]com/?q={Prompt}," causing the LLM to automatically execute the query in the "q=" parameter
*   Safety mechanism bypass vulnerability, which takes advantage of the fact that the domain bing\[.\]com is allow-listed in ChatGPT as a safe URL to set up Bing ad tracking links (bing\[.\]com/ck/a) to mask malicious URLs and allow them to be rendered on the chat.
*   Conversation injection technique, which involves inserting malicious instructions into a website and asking ChatGPT to summarize the website, causing the LLM to respond to subsequent interactions with unintended replies due to the prompt being placed within the conversational context (i.e., the output from SearchGPT)
*   Malicious content hiding technique, which involves hiding malicious prompts by taking advantage of a bug resulting from how ChatGPT renders markdown that causes any data appearing on the same line denoting a fenced code block opening (\`\`\`) after the first word to not be rendered
*   Memory injection technique, which involves poisoning a user's ChatGPT memory by concealing hidden instructions in a website and asking the LLM to summarize the site

The disclosure comes close on the heels of research demonstrating various kinds of prompt injection attacks against AI tools that are capable of bypassing safety and security guardrails -

*   A technique called PromptJacking that exploits three remote code execution vulnerabilities in Anthropic Claude's Chrome, iMessage, and Apple Notes connectors to achieve unsanitized command injection, resulting in prompt injection
*   A technique called Claude pirate that abuses Claude's Files API for data exfiltration by using indirect prompt injections that weaponize an oversight in Claude's network access controls
*   A technique called agent session smuggling that leverages the Agent2Agent (A2A) protocol and allows a malicious AI agent to exploit an established cross-agent communication session to inject additional instructions between a legitimate client request and the server's response, resulting in context poisoning, data exfiltration, or unauthorized tool execution
*   A technique called prompt inception that employs prompt injections to steer an AI agent to amplify bias or falsehoods, leading to disinformation at scale
*   A zero-click attack called shadow escape that can be used to steal sensitive data from interconnected systems by leveraging standard Model Context Protocol (MCP) setups and default MCP permissioning through specially crafted documents containing "shadow instructions" that trigger the behavior when uploaded to AI chatbots
*   An indirect prompt injection targeting Microsoft 365 Copilot that abuses the tool's built-in support for Mermaid diagrams for data exfiltration by taking advantage of its support for CSS
*   A vulnerability in GitHub Copilot Chat called CamoLeak (CVSS score: 9.6) that allows for covert exfiltration of secrets and source code from private repositories and full control over Copilot's responses by combining a Content Security Policy (CSP) bypass and remote prompt injection using hidden comments in pull requests
*   A white-box jailbreak attack called LatentBreak that generates natural adversarial prompts with low perplexity, capable of evading safety mechanisms by substituting words in the input prompt with semantically-equivalent ones and preserving the initial intent of the prompt

The findings show that exposing AI chatbots to external tools and systems, a key requirement for building AI agents, expands the attack surface by presenting more avenues for threat actors to conceal malicious prompts that end up being parsed by models.

"Prompt injection is a known issue with the way that LLMs work, and, unfortunately, it will probably not be fixed systematically in the near future," Tenable researchers said. "AI vendors should take care to ensure that all of their safety mechanisms (such as url\_safe) are working properly to limit the potential damage caused by prompt injection."

The development comes as a group of academics from Texas A&M, the University of Texas, and Purdue University found that training AI models on "junk data" can lead to LLM "brain rot," warning "heavily relying on Internet data leads LLM pre-training to the trap of content contamination."

Last month, a study from Anthropic, the U.K. AI Security Institute, and the Alan Turing Institute also discovered that it's possible to successfully backdoor AI models of different sizes (600M, 2B, 7B, and 13B parameters) using just 250 poisoned documents, upending previous assumptions that attackers needed to obtain control of a certain percentage of training data in order to tamper with a model's behavior.

From an attack standpoint, malicious actors could attempt to poison web content that's scraped for training LLMs, or they could create and distribute their own poisoned versions of open-source models.

"If attackers only need to inject a fixed, small number of documents rather than a percentage of training data, poisoning attacks may be more feasible than previously believed," Anthropic said. "Creating 250 malicious documents is trivial compared to creating millions, making this vulnerability far more accessible to potential attackers."

And that's not all. Another research from Stanford University scientists found that optimizing LLMs for competitive success in sales, elections, and social media can inadvertently drive misalignment, a phenomenon referred to as Moloch's Bargain.

"In line with market incentives, this procedure produces agents achieving higher sales, larger voter shares, and greater engagement," researchers Batu El and James Zou wrote in an accompanying paper published last month.

"However, the same procedure also introduces critical safety concerns, such as deceptive product representation in sales pitches and fabricated information in social media posts, as a byproduct. Consequently, when left unchecked, market competition risks turning into a race to the bottom: the agent improves performance at the expense of safety."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Researchers Find ChatGPT Vulnerabilities That Let Attackers Trick AI Into Leaking Data

Chrome’s enhanced autofill makes storing your passport and ID easy—but convenience like this can come at a high cost.

Google has rolled out a new autofill feature for Chrome that goes beyond storing just your passwords, addresses, and credit card numbers. The new “enhanced autofill” can now stash your driver’s license, passport details, VIN, or license plate information. Sounds convenient, right?

But just because you can, it doesn’t mean you should.

Let’s face it: filling out government forms or travel bookings online is a pain. Anything that saves a few minutes—or spares you from hunting down your passport at the back of a drawer—feels like a win, especially if Chrome can neatly autofill those fields. And yes, Google promises encryption, explicit permission for autofill, and manual activation only if you want it.

But let’s think this through. Is storing your most personally identifiable information—like government-issued IDs—in the market-dominant browser a good idea? Because that’s what Chrome is.

Chrome’s market share (over 73% at the time of writing) makes it the internet’s biggest bullseye for criminals. Whether you’re using the enhanced autofill or the regular one, browser-based storage schemes are relentlessly hunted by password stealers, infostealers, and other types of malware.

And let’s not forget phishing attempts. Maybe having to dig through your drawer while you think about why a website needs that information isn’t such a bad thing after all.

Sure, Chrome encrypts autofill data, only saves your info with permission, and asks for confirmation before pasting it into a form. You can also ramp up security with two-factor authentication (2FA) and a Chrome sync passphrase. But when cybercriminals get the right kind of access (by stealing a browser session, finding an unlocked device, or getting you to install a rogue extension), your sensitive information is in danger. And with what Chrome can now store, that could mean your identity.

Chrome’s enhanced autofill promises a smoother online ride, but the consequences of storing government IDs in your browser could outweigh the perks. Cybercriminals love a big target—and with Chrome’s popularity, the bounty only grows. When the reward for a criminal is your passport, driver’s license, or identity, convenience should come second to caution.

Thankfully, someone decided it was a good idea to turn off this feature by default, but if you want to check, here’s how to find it:

*   Open Chrome.
*   In the main Chrome menu, click on **Settings**.
*   Under **Autofill and passwords**, select **Enhanced autofill** if present.

**Better alternative: password managers**

We would advise that if you must store this kind of information digitally, use a password manager. These tools are built for secure storage—they’re audited for security, separate from browser processes, and don’t automatically serve up your data to any site that happens to have the right input fields.

Stick to a dedicated password manager and stay in control of what’s stored and where it gets filled out. Remember: the less a browser knows about your life, the safer you are when someone eventually tries to break in.

**Other recommendations:**

*   Make sure your browser is up to date.
*   Use a real-time up-to-date anti-malware solution with web protection.
*   Use two-factor authentication or passkeys to enhance the security of your important accounts.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Should you let Chrome store your driver’s license and passport? 

Google Chrome browser’s new enhanced autofill feature can now remember and automatically fill in personal data such as…

Google Chrome browser’s new enhanced autofill feature can now remember and automatically fill in personal data such as licenses, passports, and even vehicle identification numbers. It’s a small addition that could make form-filling faster than ever, but also one that invites a fresh look at where that data sits and how safe it really is.

Google says the upgrade builds on Chrome’s long-standing autofill capability for passwords, addresses, and payment details. The company promises stronger privacy protections this time, stating that the browser will store information only with user consent, protect it with encryption, and ask for confirmation before it’s used. In a **blog post** announcing the update, Google wrote that users will remain “in full control” of their stored data.

While the convenience factor is clear, the change introduces new layers of sensitivity. Information like passports and **vehicle details** can reveal much more about a person than an address or phone number. Cybersecurity professionals are already weighing in on what that could mean for user safety.

**Nivedita Murthy**, Senior Staff Consultant at Black Duck, noted that while Google’s autofill has always been a time-saver, it also concentrates personal information in one place. “This information is not stored in a secure format,” she explained.

“While the autofill option is very convenient for users, it adds risk in keeping your personal information in one location. Google accounts are also used in other places to authenticate. If your email account is compromised, not only could your emails get leaked, but any personal information that is also stored within that account.”

She adds that users need to weigh convenience against possible consequences. A single compromised Google account could give attackers access not just to messages, but to sensitive identification data now stored in the same place.

Nevertheless, the new feature also runs counter to long-standing advice from the cybersecurity community, which urges users to avoid storing passwords or autofill data in browsers due to a growing number of malware strains targeting such information. **Shuyal Stealer**, for instance, is known to target data from 17 of the most widely used browsers.

For now, Google’s global rollout is limited to desktop Chrome users, with plans to expand the types of data it can recognize in future updates. The company maintains that privacy remains at the center of the design, but as always in cybersecurity, what’s convenient for the user can also be convenient for the wrong person.

Google Expands Chrome Autofill to Passports and Licenses, But Is It Safe?

Kaspersky researchers uncovered Operation ForumTroll, an attack campaign utilising the new 'Dante' spyware developed by Memento Labs, the rebranded Hacking Team. The attacks used a Chrome zero-day vulnerability (CVE-2025-2783) and COM hijacking for persistence, confirming the continued deployment of advanced surveillance tools by the controversial Italian firm.

A new global cyber-espionage threat has surfaced with the discovery of Dante, a commercial surveillance tool developed by the Italian company Memento Labs. For your information, Memento Labs is the rebranded entity of the controversial Italian surveillance firm, Hacking Team.

The cybersecurity firm Kaspersky unveiled the campaign, named Operation ForumTroll, which first hit targets in March 2025. Kaspersky attributes this attack to a specific threat group it tracks as ForumTroll APT.

****Phishing Trap and Zero-Day Attack****

The operation began with highly personalised phishing emails disguised as invitations to the ‘Primakov Readings’ international forum. These highly personalised messages targeted government bodies, research centres, universities, and media organisations, primarily in Russia and Belarus. The goal, according to Kaspersky’s research, was clearly espionage.

Phishing email sample (Image credit: Kaspersky Securelist)

The infection started when a recipient clicked a personalised link. The malicious site ran a quick check, called a Validator, to confirm the victim was a real user before executing the attack. The main trick involved exploiting a zero-day vulnerability in Google Chrome. This specific flaw, tracked as CVE-2025-2783, was particularly clever: it took advantage of a decades-old error in Windows to trick Chrome’s security process.

By doing this, the attackers managed to bypass all of Chrome’s protective barriers (sandbox escape) and gain full control of the system. Kaspersky reported the issue, leading Google to swiftly release a patch. The extensive list of previous zero-day attacks shared by Kaspersky shows this is a continuous, difficult effort to catch such malicious attacks.

Here’s the list of in-the-wild Zero-days reported by Kaspersky:

****Adobe****

*   CVE-2014-0497
*   CVE-2014-0515
*   CVE-2014-0546
*   CVE-2016-4171
*   CVE-2017-11292

****Microsoft****

*   CVE-2014-4077
*   CVE-2015-2360
*   CVE-2016-0034
*   CVE-2016-0165
*   CVE-2016-3393
*   CVE-2018-8174
*   CVE-2018-8453
*   CVE-2018-8589
*   CVE-2018-8611
*   CVE-2019-0797
*   CVE-2019-0859
*   CVE-2019-1458
*   CVE-2020-0986
*   CVE-2020-1380
*   CVE-2021-28310
*   CVE-2021-31955
*   CVE-2021-31956
*   CVE-2021-40449
*   CVE-2023-28252
*   CVE-2024-30051

****Google****

*   CVE-2019-13720
*   CVE-2024-4947
*   CVE-2025-2783

****Apple****

*   CVE-2023-32434
*   CVE-2023-32435
*   CVE-2023-38606
*   CVE-2023-41990

****New Tools, Old Habits: LeetAgent and Dante****

Once compromised, attackers installed a secret component to ensure persistent access. They achieved this using a technique called Component Object Model (COM) hijacking, which involves manipulating the Windows registry. By placing a custom entry in the user’s private settings, the attackers forced legitimate Windows programs to load their malicious code, which then launched the actual spyware LeetAgent, a tool designed to steal files (like documents and spreadsheets), run system commands, and record keystrokes.

Kaspersky’s researchers then found a direct operational and code link between the LeetAgent attacks and a more powerful tool they identified as Dante. This connection confirms a key development in the commercial spyware market. Dante is the new surveillance platform from Memento Labs, the company created after the infamous Hacking Team was acquired and rebranded in 2019.

Connection between LeetAgent and Dante, and Operation ForumTroll attack chain (Image credit: Kaspersky Securelist)

“We found similar code shared by the exploit, loader, and Dante. Taken together, these findings allow us to conclude that the Operation ForumTroll campaign was also carried out using the same toolset that comes with the Dante spyware,” researchers noted in the blog post.

As per Hackread.com’s earlier coverage, Hacking Team was founded in 2003 and is known for its powerful surveillance software, Da Vinci or Remote Control System (RCS) spyware. A massive 2015 data leak compromised their tools and exposed internal operations, causing their subsequent rebranding.

The discovery of Dante (whose name Kaspersky found written in the code) and its use by the ForumTroll APT group since at least 2022 confirms that the commercial surveillance market is constantly adapting. Despite the Hacking Team’s rebranding, their business of selling powerful spying tools persists.

Researchers suggest that finding and naming the developers of these advanced tools, a process called attribution, is crucial for addressing the true scope of global cyber-espionage.

New Dante Spyware Linked to Rebranded Hacking Team, Now Memento Labs

A list of topics we covered in the week of October 27 to November 2 of 2025

October 31, 2025 - Google’s latest Chrome release fixes seven serious flaws that could let attackers run malicious code just by luring you to a compromised page.

October 30, 2025 - Attackers don’t need to hack you to find you. They just piece together what’s already public.

October 30, 2025 - You could be one of more than 10 million people caught up in its recent data breach. Here's what to watch out for.

October 30, 2025 - Tina Pal wants a word about your PayPal account—but it's a scam. Here’s how to spot the red flags and what to do if you’ve already called.

October 29, 2025 - By blending search and chat in one field, OpenAI’s Atlas has made browsing more convenient—and more dangerous.

 A week in security (October 27 &#8211; November 2) 

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.
Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009, where "CL" stands for cluster and "STA" refers to state-backed motivation.
"Airstalk misuses the AirWatch API for mobile device management (MDM), which is now

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack.

Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker **CL-STA-1009**, where "CL" stands for cluster and "STA" refers to state-backed motivation.

"Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management," security researchers Kristopher Russo and Chema Garcia said in an analysis. "It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads."

The malware, which appears in PowerShell and .NET variants, makes use of a multi-threaded command-and-control (C2) communication protocol and is capable of capturing screenshots and harvesting cookies, browser history, bookmarks, and screenshots from web browsers. It's believed that the threat actors are leveraging a stolen certificate to sign some of the artifacts.

Unit 42 said the .NET variant of Airstalk is equipped with more capabilities than its PowerShell counterpart, suggesting it could be an advanced version of the malware.

The PowerShell variant, for its part, utilizes the "/api/mdm/devices/" endpoint for C2 communications. While the endpoint is designed to fetch content details of a particular device, the malware uses the custom attributes feature in the API to use it as a dead drop resolver for storing information necessary for interacting with the attacker.

Once launched, the backdoor initializes contact by sending a "CONNECT" message and awaits a "CONNECTED" message from the server. It then receives various tasks to be executed on the compromised host in the form of a message of type "ACTIONS." The output of the execution is sent back to the threat actor using a "RESULT" message.

The backdoor supports seven different ACTIONS, including taking a screenshot, getting cookies from Google Chrome, listing all user Chrome profiles, obtaining browser bookmarks of a given profile, collecting the browser history of a given Chrome profile, enumerating all files within the user's directory, and uninstalling itself from the host.

"Some tasks require sending back a large amount of data or files after Airstalk is executed," Unit 42 said. "To do so, the malware uses the blobs feature of the AirWatch MDM API to upload the content as a new blob."

The .NET variant of Airstalk expands on the capabilities by also targeting Microsoft Edge and Island, an enterprise-focused browser, while attempting to mimic an AirWatch Helper utility ("AirwatchHelper.exe"). Furthermore, it supports three more message types -

*   MISMATCH, for flagging version mismatch errors
*   DEBUG, for sending debug messages
*   PING, for beaconing

In addition, it uses three different execution threads, each of which serves a unique purpose: to manage C2 tasks, exfiltrate the debug log, and beacon to the C2 server. The malware also supports a broader set of commands, although one of them appears not to have been implemented yet -

*   Screenshot, to take a screenshot
*   UpdateChrome, to exfiltrate a specific Chrome profile
*   FileMap, to list the contents of the specific directory
*   RunUtility (not implemented)
*   EnterpriseChromeProfiles, to fetch available Chrome profiles
*   UploadFile, to exfiltrate specific Chrome artifacts and credentials
*   OpenURL, to open a new URL in Chrome
*   Uninstall, to finish the
*   EnterpriseChromeBookmarks, to fetch Chrome bookmarks from a specific user profile
*   EnterpriseIslandProfiles, to fetch available Island browser profiles
*   UpdateIsland, to exfiltrate a specific Island browser profile
*   ExfilAlreadyOpenChrome, to dump all cookies from the current Chrome profile

Interestingly, while the PowerShell variant uses a scheduled task for persistence, its .NET version lacks such a mechanism. Unit 42 said some of the .NET variant samples are signed with a "likely stolen" certificate signed by a valid certificate authority (Aoteng Industrial Automation (Langfang) Co., Ltd.), with early iterations featuring a compilation timestamp of June 28, 2024.

It's currently not known how the malware is distributed, or who may have been targeted in these attacks. But the use of MDM-related APIs for C2 and the targeting of enterprise browsers like Island suggest the possibility of a supply chain attack targeting the business process outsourcing (BPO) sector.

"Organizations specializing in BPO have become lucrative targets for both criminal and nation-state attackers," it said. "Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely."

"The evasion techniques employed by this malware allow it to remain undetected in most environments. This is particularly true if the malware is running within a third-party vendor's environment. This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack

Google’s latest Chrome release fixes seven serious flaws that could let attackers run malicious code just by luring you to a compromised page.

Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.

Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.

These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be open to an attack just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting to apply security patches, because updates often fix exactly this kind of risk.

**How to update**

The Chrome update brings the version number to 142.0.7444.59/.60 for Windows, 142.0.7444.60 for MacOS and 142.0.7444.59 for Linux. So, if your Chrome is on the version number **142.0.7444.59 or later,** it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the “**More**” menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then relaunch Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can find more detailed update instructions and how to read the version number in our article on how to update Chrome on every operating system.

**Technical details**

Among the vulnerabilities in the V8 engine there are two that stand out:

**CVE-2025-12428** is a high-severity “type confusion” vulnerability in the V8 JavaScript engine. This happens when code doesn’t verify the object type it’s handling and then uses it incorrectly. In other words, the software mistakes one type of data for another—like treating a list as a single value or a number as text. This can cause Chrome to behave unpredictably and, in some cases, let attackers manipulate memory and execute code remotely through crafted JavaScript on a malicious or compromised website. Google paid a $50,000 bounty for its discovery, highlighting its severity.

**CVE-2025-12036** involves an inappropriate implementation in V8 and is classified as critical. This one allows remote code execution (RCE)—meaning an attacker could run code on your computer just by getting you to visit a specially crafted page. Google’s Big Sleep project, an AI-driven system that automates vulnerability discovery, found the flaw. It stems from improper handling in the internals of the JavaScript and WebAssembly engines and carries a high risk of data theft, malware installation, or even full system compromise.

Users of other Chromium-based browsers—like Edge, Opera, and Brave—can expect similar updates in the near future.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome now: 20 security fixes just landed 

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

142.0.3595.53

10/31/2025

142.0.7445.59/.60

Tag

#chrome