Researchers have identified seven new vulnerabilities in ChatGPT that could allow data theft and other malicious activities.
Threat researchers at Tenable have revealed ChatGPT is susceptible to a range of vulnerabilities, including unique indirect prompt injections, exfiltration of personal user information, persistence, evasion and bypass of safety mechanisms.
OpenAI has fixed some of these vulnerabilities.
These vulnerabilities are present in the GPT-5, the latest model, and could allow attackers to exploit users without their knowledge. This can result from something as simple as asking ChatGPT a question.
One of the vulnerabilities detected is able to bypass safety features, raising questions about how robust some of these measures are.
How the attacks work
These vulnerabilities rely on indirect prompt injection—malicious instructions embedded in external content the model ingests (e.g., web pages.) Attackers craft hidden prompts in this content to steer malicious outputs or exfiltrate data.
Tenable have identified seven vulnerabilities; we’ve broken down three of them here.
- Web Vulnerability
ChatGPT is able to search the web to help generate the response to some queries. Tenable discovered that ChatGPT is susceptible to caching vulnerabilities. Much of the search functionality is passed on to a tool called SearchGPT – this has fewer capabilities and less contextual understanding.
Tenable hid a prompt in blog comments; when asked to summarize, ChatGPT followed the injected instructions surfaced via SearchGPT.
2. Crawling
The Tenable researchers were also able to encourage GPT to index a site of their choosing. In this case, it was a custom site, with hidden injections. After this was done, the team were able to inject a malicious prompt, just by the victim asking a simple question.
Tenable explain that “This unprecedented 0-click vulnerability opens a whole new attack vector that could target anyone who relies on AI search for information. AI vendors are relying on metrics like SEO scores, which are not security boundaries, to choose which sources to trust. By hiding the prompt in tailor-made sites, attackers could directly target users based on specific topics or political and social trends.”
“The final and simplest method of prompt injection is through a feature that OpenAI created, which allows users to prompt ChatGPT by browsing to https://chatgpt.com/?q={Prompt}. We found that ChatGPT will automatically submit the query in the q= parameter, leaving anyone who clicks that link vulnerable to a prompt injection attack.”
The significance
ChatGPT has somewhere between 800 to 845 million active weekly users. Therefore, any vulnerability, no matter how complex, has the potential to reach millions of users. In this instance, the attacks are not particularly sophisticated, presenting attackers with plenty of opportunities.
These vulnerabilities have been responsibly disclosed to OpenAI, Chat GPT’s parent company, who have already addressed some of the vulnerabilities.
