Skip to content

Prompt injection exploit in ChatGPT macOS app leads to data theft

  • by
  • 3 min read

A vulnerability in the ChatGPT macOS application has allowed attackers to inject spyware, leading to continuous data exfiltration from user interactions. This flaw, exploited through prompt injections from untrusted websites, enabled malicious actors to store spyware persistently in ChatGPT’s memory. OpenAI has since released a patch, and users are advised to update their app immediately to prevent further risks.

The flaw lies in how ChatGPT handles untrusted data, specifically prompt injections from malicious websites. By exploiting ChatGPT’s memory function, attackers could insert malicious instructions that persist across future chat sessions.

This enables continuous surveillance, with attackers able to steal user information, including the data users’ input and ChatGPT responses.

OpenAI first implemented security measures against data exfiltration at the end of 2023 by introducing the ‘url_safe’ API. This API was designed to prevent third-party servers from using ChatGPT to send data by ensuring that URLs and images were safe before rendering.

However, this check occurred on the client side, leaving the iOS app—and later the macOS and Android clients—vulnerable. The recent vulnerability resurfaced as new features, such as Memories, were added.

The release of the Memory feature in ChatGPT marked a turning point for this flaw. Attackers could inject instructions into ChatGPT’s memory via a malicious website. Once inserted, these instructions remained active for all future interactions.

This created an undetectable channel for exfiltrating user data to attacker-controlled servers, as all chat messages and responses were automatically sent to threat actors.

The latest prompt injection payload used by the researcher. | Source: Embrace The Red

The exfiltration method rendered an invisible image linked to an attacker’s server, embedding sure data in the URL parameter. The result? Continuous data leakage, as demonstrated by an end-to-end exploit video where an invisible image facilitated the stealthy transfer of sensitive information.

As explained by the researcher, this flaw allowed attackers to bypass OpenAI’s ‘url_safe’ API, highlighting that the security patch was insufficient in preventing all forms of data leakage.

“The url_safe feature still allows for some information to be leaked,” explained a researcher.

OpenAI’s latest patch, released in September 2024, addresses the vulnerability by fixing the exfiltration vector. Specifically, it blocks the use of image rendering for data extraction. However, the larger issue of prompt injection remains unsolved.

“ChatGPT users should regularly review the memories the system stores about them, for suspicious or incorrect ones and clean them up,” the researcher continued.

The video shows that websites and untrusted documents can still invoke the memory tool to store malicious instructions, posing a risk of future exploits.

OpenAI recommends that users regularly review and manage the memories stored by ChatGPT, ensuring that no unauthorised instructions persist. Users can also disable the Memory feature or use temporary chat sessions to prevent long-term data retention.

In the News: BookMyShow accused of black marketing Coldplay show tickets

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>