A vulnerability in the ChatGPT macOS application has allowed attackers to inject spyware, leading to continuous data exfiltration from user interactions. This flaw, exploited through prompt injections from untrusted websites, enabled malicious actors to store spyware persistently in ChatGPT’s memory. OpenAI has since released a patch, and users are advised to update their app immediately to prevent further risks.
The flaw lies in how ChatGPT handles untrusted data, specifically prompt injections from malicious websites. By exploiting ChatGPT’s memory function, attackers could insert malicious instructions that persist across future chat sessions.
This enables continuous surveillance, with attackers able to steal user information, including the data users’ input and ChatGPT responses.
OpenAI first implemented security measures against data exfiltration at the end of 2023 by introducing the ‘url_safe’ API. This API was designed to prevent third-party servers from using ChatGPT to send data by ensuring that URLs and images were safe before rendering.
However, this check occurred on the client side, leaving the iOS app—and later the macOS and Android clients—vulnerable. The recent vulnerability resurfaced as new features, such as Memories, were added.
The release of the Memory feature in ChatGPT marked a turning point for this flaw. Attackers could inject instructions into ChatGPT’s memory via a malicious website. Once inserted, these instructions remained active for all future interactions.
This created an undetectable channel for exfiltrating user data to attacker-controlled servers, as all chat messages and responses were automatically sent to threat actors.
The exfiltration method rendered an invisible image linked to an attacker’s server, embedding sure data in the URL parameter. The result? Continuous data leakage, as demonstrated by an end-to-end exploit video where an invisible image facilitated the stealthy transfer of sensitive information.
As explained by the researcher, this flaw allowed attackers to bypass OpenAI’s ‘url_safe’ API, highlighting that the security patch was insufficient in preventing all forms of data leakage.
“The url_safe
feature still allows for some information to be leaked,” explained a researcher.
OpenAI’s latest patch, released in September 2024, addresses the vulnerability by fixing the exfiltration vector. Specifically, it blocks the use of image rendering for data extraction. However, the larger issue of prompt injection remains unsolved.
“ChatGPT users should regularly review the memories the system stores about them, for suspicious or incorrect ones and clean them up,” the researcher continued.
The video shows that websites and untrusted documents can still invoke the memory tool to store malicious instructions, posing a risk of future exploits.
OpenAI recommends that users regularly review and manage the memories stored by ChatGPT, ensuring that no unauthorised instructions persist. Users can also disable the Memory feature or use temporary chat sessions to prevent long-term data retention.
In the News: BookMyShow accused of black marketing Coldplay show tickets