Full Report
Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge. The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has
Analysis Summary
As the context provided is based on a news article snippet and does not contain specific CVE identifiers, exact CVSS scores, or detailed patch versions, the summary below will use placeholders where this specific information is missing and generalize based on the described vulnerability types.
# Vulnerability: Indirect Prompt Injection and Data Leakage in ChatGPT Models
## CVE Details
- CVE ID: N/A (Specific IDs not provided in the source)
- CVSS Score: N/A (Severity not explicitly scored, but high impact implied)
- CWE: Typically related to CWE-16 (Configuration) or CWE-94 (Improper Control of Generation of Code) given the nature of prompt injection.
## Affected Systems
- Products: OpenAI ChatGPT (specifically mentioning GPT-4o and GPT-5 models)
- Versions: GPT-4o, GPT-5 (Specific build/date versions are not listed)
- Configurations: Systems leveraging "Browsing Context," "Search Context" (SearchGPT integration), and utilizing user "Memory."
## Vulnerability Description
Researchers identified seven vulnerabilities/techniques allowing attackers to leverage **Indirect Prompt Injection** to manipulate the behavior of the Large Language Model (LLM). This manipulation can trick the AI into executing unintended malicious actions, specifically leading to the theft of personal information stored in the user's chat histories or "Memory."
The identified techniques include:
1. **Indirect Prompt Injection via Browsing Context:** Injecting malicious instructions into the comment sections of web pages summarized by ChatGPT.
2. **Zero-Click Indirect Prompt Injection (Search Context):** Exploiting how the LLM processes information indexed via search engines (like Bing/SearchGPT) based on natural language queries.
3. **Prompt Injection via One-Click:** Crafting specific URLs (`chatgpt[.]com/?q={Prompt}`) that automatically execute malicious queries embedded in the `q=` parameter.
4. **Safety Mechanism Bypass:** Exploiting the allowance list for `bing[.]com/ck/a` (Bing ad tracking links) to mask and render malicious URLs.
5. **Conversation Injection:** Inserting malicious prompts into a summarized website, causing the LLM to carry that malicious instruction into subsequent interactions.
6. **Malicious Content Hiding:** Exploiting markdown rendering bugs (specifically concerning fenced code blocks) to hide malicious prompts from the user interface but have them parsed by the LLM.
7. **Memory Injection:** Concealing hidden instructions in websites summarized by the LLM, poisoning the user's persistent ChatGPT Memory.
## Exploitation
- Status: Researcher-discovered, some issues *addressed* by OpenAI.
- Complexity: Likely **Medium** to **Low**, especially for zero-click and one-click variants.
- Attack Vector: Primarily **Network** (via malicious URLs or indexed web content).
## Impact
- Confidentiality: **High** (Potential for stateful data leakage/theft of user memories and chat history).
- Integrity: **Medium** (LLM behavior is maliciously altered).
- Availability: **Low** (Service is not taken down, but behavior is corrupted).
## Remediation
### Patches
- Patches are reported to be **available** for *some* of the disclosed vulnerabilities, as OpenAI "has since addressed some of them." Specific patch versions or required model updates are not specified in the source.
### Workarounds
- **Limit Browsing Context Usage:** Be cautious when asking ChatGPT to summarize external websites, especially if those sites are not fully trusted or if the request involves complex summarizing tasks.
- **Review Memory Settings:** Users should review and manage their ChatGPT Memory settings, as direct injection techniques target this persistent data store.
- **Avoid Non-Verified Links:** Do not click on links or interact with content generated from services integrating external browsing/search features unless the request originates from a trusted source.
## Detection
- **Indicators of Compromise (IoCs):** Unusual, unprompted responses from the LLM following interaction with external web content, search results, or summary requests.
- **Detection Methods and Tools:** Monitoring incoming queries for known prompt injection patterns, application-level logging to identify unusual system calls or context manipulation stemming from LLM output processing.
## References
- Vendor Advisory (Tenable): hxxps://www.tenable.com/security/research/tra-2025-22 (and related links provided in the context)
- General News Source: hxxps://thehackernews.com/2025/11/researchers-find-chatgpt.html