OpenAI's ChatGPT Crawler Can Be Tricked Into DDoSing Sites
OpenAI's ChatGPT crawler seems to be susceptible to initiating distributed denial of service (DDoS) attacks on various websites, a reported vulnerability that the tech giant has not yet acknowledged.
In a write-up shared this month via Microsoft's GitHub, Benjamin Flesch, a security researcher in Germany, explains how a single HTTP request to the ChatGPT API can be used to flood a targeted website with network requests from the ChatGPT crawler, specifically ChatGPT-User.
The Vulnerability
This flood of connections may or may not be enough to bring down a website, but it still poses a potential danger and highlights an oversight by OpenAI. It can amplify a single API request into 20 to 5,000 or more requests to a selected victim's website every second.
"ChatGPT API exhibits a severe quality defect when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions," Flesch explains in his advisory, referring to an API endpoint called by OpenAI's ChatGPT to return information about web sources cited in the chatbot's output.
The Attack Method
By sending a large number of URLs to the API, each slightly different but all pointing to the same site, the crawler will access each one simultaneously, overwhelming the target with requests.
Using a tool like Curl, an attacker can exploit this vulnerability to send an HTTP POST request to the ChatGPT endpoint and cause OpenAI's servers in Microsoft Azure to initiate an HTTP request for each hyperlink submitted via the urls[] parameter in the request.
Impact of the Attack
When these requests are directed at the same website, they can potentially overload the target, leading to DDoS symptoms – the crawler, proxied by Cloudflare, will visit the targeted site from different IP addresses each time.
Flesch reported this unauthenticated reflective DDoS vulnerability through various channels but has not received any response from OpenAI or Microsoft.
He also highlighted another vulnerability in the ChatGPT API related to prompt injection, raising concerns about the security practices in place. This prompts questions about the effectiveness of security measures in OpenAI's 'AI agent' technology.
This incident underscores the importance of implementing proper validation logic to prevent abuse and ensure the security of APIs and systems.
The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor technology, continues to escalate. Read more
The influence of tech giants in the global economy raises crucial questions about security, regulations, and market dynamics. Read more
Instagram's impact on interior design trends and aesthetics raises discussions on algorithm-driven influences. Read more
Exploring strategies to address the data crunch in AI training and development to ensure sustainability. Read more
Google's decision to abandon the removal of third-party cookies from Chrome browser highlights challenges in user privacy and data management. Read more
LinkedIn's adoption of AI and gamification to enhance user engagement and revenue generation reflects evolving trends in social networking platforms. Read more
