"Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge. The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has since addressed some of them. These issues expose the AI system to indirect prompt injection attacks, allowing an attacker to manipulate the expected behavior of a large language model (LLM) and trick it into performing unintended or malicious actions, security researchers Moshe Bernstein and Liv Matan said in a report shared with The Hacker News."
"Indirect prompt injection vulnerability via trusted sites in Browsing Context, which involves asking ChatGPT to summarize the contents of web pages with malicious instructions added in the comment section, causing the LLM to execute them Zero-click indirect prompt injection vulnerability in Search Context, which involves tricking the LLM into executing malicious instructions simply by asking about a website in the form of a natural language query, owing to the fact that the site may have been indexed by search engines like Bing and OpenAI's crawler associated with SearchGPT."
"Prompt injection vulnerability via one-click, which involves crafting a link in the format "chatgpt[.]com/?q={Prompt}," causing the LLM to automatically execute the query in the "q=" parameter Safety mechanism bypass vulnerability, which takes advantage of the fact that the domain bing[.]com is allow-listed in ChatGPT as a safe URL to set up Bing ad tracking links (bing[.]com/ck/a) to mask malicious URLs and allow them to be rendered on the chat. Conversation injection technique, which involves inserting malicious instructions into a website and asking ChatGPT to summarize the website, ca"
Seven vulnerabilities in GPT-4o and GPT-5 enable indirect prompt-injection attacks that manipulate model behavior to perform unintended actions. Attack techniques include browsing-context injection via trusted sites, zero-click search-context injection through indexed pages, one-click execution via crafted query parameters, safety-allowlist bypass using Bing ad-tracking links, and conversation injection by embedding malicious instructions in web content summaries. These flaws can lead to theft of personal information from user memories and chat histories. Some issues have been addressed; mitigation steps include restricting browsing features, sanitizing external content, and monitoring chat and account activity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]