A major flaw in OpenAI’s ChatGPT has raised alarm in the cybersecurity community due to its potential misuse for Distributed Denial of Service (DDoS) attacks. Exploiting a programming defect in the API, attackers could leverage OpenAI’s infrastructure to inundate victim websites with a flood of HTTP requests, resulting in severe disruption of services.
At the heart of this vulnerability is the ChatGPT API’s handling of HTTP POST requests to the endpoint https://chatgpt.com/backend-api/attributions. The API accepts a parameter named URLs designed to process a list of hyperlinks.
However, OpenAI’s failure to enforce critical valuation measures has created an avenue for exploitation.
“ChatGPT API exhibits a severe quality defect when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions
,” security researcher Benjamin Flesch wrote on GitHub. “The API expects a list of hyperlinks in parameter urls
. It is commonly known that hyperlinks to the same website can be written in many different ways.”
The API does not check whether multiple entries in the URLs parameter point to the same resource. Also, there is no cap on the number of hyperlinks that can be submitted in a single request, enabling the submission of thousands of links simultaneously.

When the API processes such a request, it generates one HTTP request for each hyperlink from OpenAI ‘s servers, hosted on Microsoft Azure’s infrastructure. This design flaw results in a sudden surge of requests to the targeted website, potentially overwhelming its resources and rendering it inaccessible.
This defect amplifies the potential impact of a DDoS attack. With minimal effort, an attacker can trigger thousands of parallel connection attempts originating from OpenAI’s servers. Additionally, duplicate requests to the same resource exacerbate the burden on the victim’s website, as no mechanisms are in place to prevent redundant requests.
To mitigate this risk, Flesch asks OpenAI to implement several immediate measures, including hyperlink deduplication, strict caps on the number of hyperlinks allowed in single requests, and rate-limiting mechanisms to control the frequency of outgoing requests to the same domain.
“The victim will never know what hit them, because they only see ChatGPT bot hitting their website from about 20 different IP addresses simultaneously,” Flesch told The Register. He also adds that enabling a firewall to block IP addresses won’t work.
In the News: ECI mandates AI content to be labelled in election campaigns