Tenable researchers lately found seven new ChatGPT vulnerabilities and assault strategies that may be exploited for information theft and different malicious functions.
The assault strategies are associated to a number of options. One in every of them is the ‘bio’ characteristic, also referred to as ‘reminiscences’, which permits ChatGPT to recollect the person’s particulars and preferences throughout chat periods.
One other characteristic is the ‘open_url’ command-line perform, which is utilized by the AI mannequin to entry and render the content material of a specified web site tackle. This perform leverages SearchGPT, a special LLM that focuses on shopping the net, which has restricted capabilities and no entry to the person’s reminiscences. SearchGPT supplies its findings to ChatGPT, which then analyzes them and shares the related data with the person.
Tenable researchers additionally focused the ‘url_safe’ endpoint, which is designed to test whether or not a URL is protected earlier than exhibiting it to the person.
Initially, the researchers discovered that when ChatGPT is requested to summarize the content material of a given web site, SearchGPT will analyze the location and execute any AI prompts discovered on it, together with directions injected right into a web site’s feedback part. This allows the attacker to inject malicious prompts into well-liked web sites which are more likely to be summarized by ChatGPT at a person’s request.
Tenable’s specialists additionally confirmed that the person doesn’t essentially want to supply ChatGPT the URL of a web site containing malicious directions. As a substitute, attackers can arrange a brand new web site that’s more likely to present up in net search outcomes for area of interest subjects. ChatGPT depends on Bing and OpenAI’s crawler for net searches.
In its experiments, Tenable arrange a ‘malicious’ web site for LLM Ninjas. When ChatGPT was requested for details about LLM Ninjas, the malicious web site was accessed by SearchGPT, which executed a hidden immediate planted on the location.
One other immediate injection methodology — the only, as described by Tenable — concerned tricking the person into opening a URL within the type of ‘chatgpt.com/?q={immediate}’. The question within the ‘q’ parameter, together with malicious prompts, would mechanically be executed when the hyperlink was clicked. Commercial. Scroll to proceed studying.
Tenable additionally discovered that the ‘url_safe’ endpoint would at all times deal with bing.com as a protected area. Menace actors may use specifically crafted Bing URLs to exfiltrate person information. The attacker may lure customers to a phishing web site through the use of Bing click-tracking URLs, the lengthy Bing.com URLs that function an middleman hyperlink between the search outcomes and the ultimate vacation spot web site.
Whereas SearchGPT doesn’t have entry to person information, the researchers found a technique they dubbed ‘dialog injection’, which entails getting SearchGPT to supply ChatGPT with a response that will finish with a immediate to be executed by ChatGPT.
The issue was that the output from SearchGPT, which contained the malicious immediate, was seen to the person. Nevertheless, Tenable discovered that an attacker may disguise this content material from the person by including it to code blocks, which prevents the rendering of the info that’s on the identical line because the code block opening.
Tenable researchers have chained these vulnerabilities for a number of end-to-end assaults. In a single instance, the person asks ChatGPT to summarize a weblog the place the attacker has added a malicious immediate within the web site’s remark part. SearchGPT browses the publish, which ends up in a immediate injection that ends in the person being urged to click on on a hyperlink pointing to a phishing web site. Utilizing an middleman Bing URL the attacker can bypass the ‘url_safe’ test.
In a special instance, the middleman Bing URL is used to exfiltrate the person’s information, together with reminiscences and chat historical past, by specifically crafted URLs.
Tenable discovered that reminiscences can’t solely be exfiltrated but in addition injected. Its researchers confirmed how immediate injection can be utilized so as to add a reminiscence instructing the AI chatbot to exfiltrate the person’s information by crafted Bing URLs that leverage the ‘url_safe’ bypass.
OpenAI has been knowledgeable in regards to the findings and it has patched a few of them, however immediate injection will persist as a basic safety problem for LLMs. Tenable famous that a few of these assault strategies nonetheless work, even towards the newest GPT-5 mannequin.
Associated: OpenAI Atlas Omnibox Is Susceptible to Jailbreaks
Associated: Malware Now Makes use of AI Throughout Execution to Mutate and Gather Knowledge, Google Warns
Associated: Claude AI APIs Can Be Abused for Knowledge Exfiltration
