Full Report
An AI browser agent architecture works by granting a privileged origin control of the browser through an agent interface. In the case of Atlas, the focus of this post, they relied on the Mojo IPC interface. This interface is used for privileged pages, such as *.openai.com, to talk to the Chromium browser process to perform actions like opening browser tabs, navigating URLS, and more. Having access to these Mojo APIs is super scary though. It's really not meant to be exposed to web pages because of its power on those domains. So, they decided to hunt for XSS vulnerabilities on OpenAI subdomains. After a while, they found one on forums.openai.com via postMessage. The post message handler received a URL and opened it from an arbitrary domain. So, you could send the JavaScript URI as a domain, and it would execute in the context of OpenAI. Yikes! The post message listener was only activated on authenticated pages. Lucky for them, the website also had a login CSRF vulnerability. So, we have access to Mojo: now what? The context of the page has a list of tools that can be used. kaur1br5 is the codename for the tool responsible for controlling the browser, including listing tabs, searching browser history and adding bookmarks. They tried adding javascript: bookmarks but this was rejected. They tried navigating to JavaScript URIs but these were rejected as well. Eventually, they settled on list_tabs(). This allows for querying the full URL of the entire tab. This can leak information about browser-navigated URLs, including OAuth codes. The PoC leaks a user's GitHub OAuth token, which is pretty neat. How was this fixed? It's not in the report. I would imagine they fixed the XSS and limited the impact of list_tabs to not include all information about a URL. Alas, this is still bad design and we probably haven't seen the end of this browser.
Analysis Summary
# Vulnerability: OpenAI Atlas Browser Agent Interface Exposure via XSS
## CVE Details
- **CVE ID**: Not Assigned (Reported via Bugcrowd)
- **CVSS Score**: Estimated 8.8 (High) - [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N]
- **CWE**: CWE-79 (Cross-site Scripting), CWE-250 (Execution with Unnecessary Privileges)
## Affected Systems
- **Products**: OpenAI Atlas (AI-powered Chromium-based browser)
- **Versions**: Versions prior to 1.2025.288.15
- **Configurations**: Default installations utilizing the integrated AI browser agent and Mojo IPC interface.
## Vulnerability Description
The vulnerability stems from a dangerous architectural design where the **Mojo IPC (Inter-Process Communication)** interface—typically reserved for internal `chrome://` pages—was exposed to the `*.openai.com` privileged origin.
Security researchers identified a chain of flaws to exploit this:
1. **PostMessage XSS**: A vulnerability on `forums.openai.com` allowed an attacker to send a `postMessage` containing a `javascript:` URI. The handler executed this URI in the context of the OpenAI domain.
2. **Login CSRF**: The XSS was only reachable on authenticated pages; however, a Login CSRF flaw allowed attackers to force a victim into an authenticated state to trigger the XSS.
3. **Mojo IPC Access**: Once executing JavaScript on an OpenAI subdomain, the attacker gained access to the `Mojo` interface and the `LocalToolHandler`. This granted the script "god-mode" permissions over the browser process.
## Exploitation
- **Status**: PoC available; disclosed to vendor and fixed.
- **Complexity**: Medium (Requires chaining XSS and CSRF).
- **Attack Vector**: Network/Remote (Triggered via a malicious website).
## Impact
- **Confidentiality**: **High**. Attackers can use the `list_tabs()` tool via Mojo to monitor all open tabs in real-time, leaking full URLs which include sensitive data such as **OAuth authorization codes**, session tokens, and private browsing history.
- **Integrity**: **Low/Medium**. While certain actions like navigating to `javascript:` URIs were restricted, the ability to control browser state and interact with browser bookmarks was present.
- **Availability**: **None**. No specific denial-of-service vector was noted.
## Remediation
### Patches
- **Update to Atlas version 1.2025.288.15** or higher. OpenAI deployed a fix on October 23, 2025, which reportedly addressed the XSS and restricted the capabilities of the Mojo tools.
### Workarounds
- Users should avoid using specialized AI browsers for sensitive tasks (e.g., banking or OAuth logins) until the security posture of the underlying agent architecture is further matured.
- Clear browser cookies and log out of OpenAI services if an untrusted link was visited within the Atlas browser.
## Detection
- **Indicators of Compromise**: Unexpected `postMessage` calls originating from third-party domains to `forums.openai.com`.
- **Detection Methods**: Monitor for unauthorized calls to Chromium's Mojo JavaScript bindings from web-facing origins.
## References
- **Vendor Advisory**: OpenAI Bugcrowd Program (Internal)
- **Research Post**: hxxps[://]www[.]hacktron[.]ai/blog/hacking-openai-atlas-browser
- **Mojo IPC Documentation**: hxxps[://]chromium[.]googlesource[.]com/chromium/src/+/main/docs/mojo_in_chromium[.]md