A researcher found a severe flaw in ChatGPT that allowed particulars from a dialog to be leaked to an exterior URL.
When Johann Rehberger tried to alert OpenAI to the potential flaw, he obtained no response, forcing the researcher to reveal particulars of the flaw publicly.
Following the disclosure OpenAI launched security checks for ChatGPT that mitigate the flaw, however not fully.
A hasty patch
The flaw in query permits malicious chatbots powered by ChatGPT to exfiltrate delicate information, such because the content material of the chat, alongside metadata and technical information.
A secondary methodology includes the sufferer submitting a immediate provided by the attacker, which then makes use of picture markdown rendering and immediate injecting to exfiltrate the information.
Rehberger initially reported the flaw to OpenAI manner again in April 2023, supplying extra particulars on how it may be utilized in extra devious methods by way of November.
Rehberger said that, “This GPT and underlying directions have been promptly reported to OpenAI on November, thirteenth 2023. Nevertheless, the ticket was closed on November fifteenth as “Not Relevant”. Two comply with up inquiries remained unanswered. Therefore it appears greatest to share this with the general public to lift consciousness.”
Are you a professional? Subscribe to our e-newsletter
Signal as much as the TechRadar Professional e-newsletter to get all the highest information, opinion, options and steering your online business must succeed!
As an alternative of additional pursuing an apparently non-respondent OpenAI, Rehberger as a substitute determined to go public together with his discovery, releasing a video demonstration of how his complete dialog with a chatbot designed to play tic-tac-toe was extracted to a third-party URL.
To mitigate this flaw, ChatGPT now performs checks to stop the secondary methodology talked about above from happening. Rehberger responded to this repair stating, “When the server returns a picture tag with a hyperlink, there may be now a ChatGPT client-side name to a validation API earlier than deciding to show a picture.”
Sadly, these new checks don’t totally mitigate the flaw, as Rehberger found that arbitrary domains are nonetheless generally rendered by ChatGPT, however a profitable return is hit or miss. Whereas these checks have apparently been applied on the desktop variations of ChatGPT, the flaw stays viable on the iOS cellular app.
By way of BleepingComputer
<header
