ChatGPT Vulnerability Exploited Through URL-based Data Exfiltration, Now Mitigated
A recently discovered vulnerability, dubbed “ZombieAgent,” allowed attackers to bypass chatgpt’s security measures and exfiltrate data by exploiting a loophole in how the AI model handles URLs. The attack, detailed by Radware researchers, circumvented allow lists implemented by OpenAI in response to the ShadowLeak vulnerability. OpenAI has sence implemented a fix.
The core of the ZombieAgent attack relied on ChatGPT’s permission to open URLs. Attackers discovered they could exfiltrate data character by character by appending single letters to a base URL under their control. Because OpenAI hadn’t restricted the appending of letters to URLs, the AI could be tricked into revealing information through a series of requests. A diagram illustrating the process was published by Radware (see figure).
[Image of Diagram illustrating the URL-based character exfiltration for bypassing the allow list introduced in ChatGPT in response to ShadowLeak. Credit: Radware]
OpenAI has mitigated the attack by restricting ChatGPT from opening links originating from emails unless they are indexed in a public index or directly provided by the user within a chat prompt. This change prevents the agent from accessing attacker-controlled domains via manipulated base URLs.
This incident highlights a recurring pattern in cybersecurity: the constant cycle of attack and mitigation. As Pascal Geenens, VP of threat intelligence at Radware, noted, “Guardrails should not be considered basic solutions for the prompt injection problems. Instead, they are a quick fix to stop a specific attack. Provided that there is no fundamental solution, prompt injection will remain an active threat and a real risk for organizations deploying AI assistants and agents.”
The ongoing struggle against vulnerabilities like prompt injection mirrors the persistent challenges posed by issues like SQL injection and memory corruption, demonstrating that security remains a continuous process rather than a solved problem.
Sources:
* Ars Technica: ChatGPT vulnerability let attackers exfiltrate data via URLs
* Radware blog: zombieagent: Bypassing ChatGPT’s Allow List with URL-based Character Exfiltration