{"id":1594,"date":"2025-01-21T12:39:32","date_gmt":"2025-01-21T12:39:32","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1594"},"modified":"2025-01-21T12:39:32","modified_gmt":"2025-01-21T12:39:32","slug":"chatgpt-api-flaws-could-allow-ddos-prompt-injection-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1594","title":{"rendered":"ChatGPT API flaws could allow DDoS, prompt injection attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

OpenAI-owned ChatGPT might have a vulnerability that could allow threat actors to launch distributed denial of service (DDoS) attacks <\/a>on unsuspecting targets.\u00a0\u00a0<\/p>\n

According to a discovery made by German security researcher Benjamin Flesch, the ChatGPT crawler, which OpenAI uses to collect data from the internet to improve ChatGPT, can be tricked into DDoSing arbitrary websites.\u00a0\u00a0<\/p>\n

\u201cChatGPT crawler can be triggered to DDoS a victim website via HTTP request to unrelated ChatGPT API,\u201d Flesch said in a Github repo<\/a> with a POC. \u201cThis defect in OpenAI software will spawn a DDoS attack on the victim website, utilizing multiple Microsoft Azure IP address ranges on which ChatGPT crawler is running.\u201d\u00a0<\/p>\n

Flesch said the discovery was made in January 2025, and was since brought to OpenAI as well as Microsoft\u2019s knowledge, neither of whom have yet acknowledged the flaw\u2019s existence.\u00a0\u00a0<\/p>\n

OpenAI oversight allows HTTP request amplification<\/h2>\n

Flesch pointed out that the ChatGPT API has a significant flaw when processing HTTP POST requests at its attributions endpoint.\u00a0\u00a0<\/p>\n

The API requires a list of URLs but fails to check for duplicate hyperlinks or enforce a limit on their numbers, allowing potentially thousands of hyperlinks in a single HTTP request.\u00a0<\/p>\n

\u201cIt is commonly known that hyperlinks to the same website can be written in many different ways,\u201d Flesch said. \u201cDue to bad programming practices, OpenAI does not check if a hyperlink to the same resource appears multiple times in the list.\u201d\u00a0<\/p>\n

The API processes each hyperlink in a POST request individually, using Microsoft Azure servers, leading to numerous simultaneous connection attempts to the target site. The resulting large volume of connections from the OpenAI servers can potentially overwhelm the targeted website.\u00a0<\/p>\n

The same API is open to prompt injection attacks<\/h2>\n

According to another disclosure<\/a> made by Flesch, the same API is also vulnerable to prompt injection attacks<\/a>. The problem stems from the API accepting \u201curls\u201d parameter containing text commands for their LLM.\u00a0<\/p>\n

This could be exploited to make the crawler answer queries through the API, allowing it to respond to questions instead of simply fetching websites as intended.\u00a0<\/p>\n

\u201cDue to a large number of prompts that can be submitted via the urls parameter, this software defect could be further utilized to slow down the OpenAI servers,\u201d Felsch added.\u00a0\u00a0<\/p>\n

While acknowledgment and enumeration of the flaws are still awaited, Felsch placed the DDoS enabling flaw\u2019s severity at 8.6 out of 10 on the CVSS scale, owing to its network-based nature, low complexity, absence of privilege requirement or user interaction, and high impact of availability of services.\u00a0\u00a0<\/p>\n

Queries sent to OpenAI for acknowledgment and other flaw details received no responses until the publishing of this article.\u00a0\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

OpenAI-owned ChatGPT might have a vulnerability that could allow threat actors to launch distributed denial of service (DDoS) attacks on unsuspecting targets.\u00a0\u00a0 According to a discovery made by German security researcher Benjamin Flesch, the ChatGPT crawler, which OpenAI uses to collect data from the internet to improve ChatGPT, can be tricked into DDoSing arbitrary websites.\u00a0\u00a0 […]<\/p>\n","protected":false},"author":0,"featured_media":1588,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1594","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1594"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1594"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1594\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1588"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}