OpenAI's ChatGPT crawler can be tricked into DDoSing sites, answering your queries

A reported vulnerability in OpenAI's ChatGPT API allows for potential distributed denial of service (DDoS) attacks on websites. Security researcher Benjamin Flesch discovered that a single HTTP request to the ChatGPT API can be amplified into thousands of requests to a target site, potentially overwhelming it. This is due to the API's failure to deduplicate URLs or limit the number of hyperlinks in a request. The vulnerability does not require authentication, and the requests are proxied through Cloudflare, making it difficult for victims to block the traffic effectively.

Flesch reported the issue to OpenAI and other relevant platforms but has not received a response. He also highlighted a separate vulnerability related to prompt injection, questioning why OpenAI's bot lacks basic security measures to prevent such issues. Flesch speculates that the API might be an example project for OpenAI's AI agents, which appear to lack built-in security features to handle resource exhaustion and prevent abuse.

Key takeaways:

OpenAI's ChatGPT API has a vulnerability that can be exploited to initiate DDoS attacks on websites by flooding them with requests.
The vulnerability allows attackers to send a single HTTP POST request to the ChatGPT API, which can result in thousands of requests to a target site.
The issue arises from the API's failure to deduplicate URLs and limit the number of hyperlinks in a request, leading to potential resource exhaustion.
Despite being reported through multiple channels, OpenAI has not yet acknowledged or addressed the vulnerability.

OpenAI's ChatGPT crawler can be tricked into DDoSing sites, answering your queries

Key takeaways:

Comments (0)

Newsletter