Another day, another vulnerability. CSO Online reports that a researcher discovered an OpenAI development oversight that could allow attackers to launch DDoS attacks on unsuspecting victims:
OpenAI-owned ChatGPT might have a vulnerability that could allow threat actors to launch distributed denial of service (DDoS) attacks on unsuspecting targets.
According to a discovery made by German security researcher Benjamin Flesch, the ChatGPT crawler, which OpenAI uses to collect data from the internet to improve ChatGPT, can be tricked into DDoSing arbitrary websites.
“ChatGPT crawler can be triggered to DDoS a victim website via HTTP request to unrelated ChatGPT API,” Flesch said in a Github repo with a POC. “This defect in OpenAI software will spawn a DDoS attack on the victim website, utilizing multiple Microsoft Azure IP address ranges on which ChatGPT crawler is running.”
Read more at CSO Online.
Although CSO Online and other news sites reporting on the vulnerability earlier this week were unable to get responses from Microsoft or Open AI, Cyberscoop reported:
Flesch said the vulnerability was discovered this month, and the GitHub page for the vulnerability was first created Jan. 10. The issue was reported to OpenAI and Microsoft, which owns the servers spawning the requests, under responsible disclosure rules. In an update, Flesch noted that OpenAI has since disabled the vulnerable endpoint and that the proof-of-concept code no longer works.