Skip to content

A Redis bug briefly exposed ChatGPT customer data

  • by
  • 2 min read

Photo: Tada Images/Shutterstock.com

After disclosing a bug where a few users could see the titles of other users’ conversation history, further investigation from OpenAI revealed that the bug was caused by an issue in the Redis client open-source library that the company uses to cache its information. 

The exposed information included active users’ first and last names, email and payment addresses, and some financial information such as the last four digits of their credit card numbers and credit card expiration dates. It was also possible that the first message of a new thread was visible in someone else’s chat history if both users were active around the same time. 

The data was only leaked briefly, between 1 AM to 10 AM Pacific time on March 20, although OpenAI does say in its update on the incident that it may also have occurred prior to March 20 and just gone undetected. Nevertheless, the bot was taken offline following the discovered and the issue has now been fixed. OpenAI puts the number of affected customers at 1.2%. The company has informed all affected users. 

Specifically, OpenAI uses the redis-py library to interface with Redis from its Python server. The library is set up to use a shared pool of connections between the server and the client cluster, recycling connections between requests. However, if a rquest is cancelled after being pushed onto the incoming queue but before the response was ‘popped’ from the outgoing queue, users run into this bug. 

This corrupts the connection and the next response that’s dequeued for an unrelated request can recieve data left behind from the previous connection. However, the corrupted data matches the request’s data type only in some cases causiing the responses provided by the chatbot using the cache appeared valid, even if they belonged to other users. 

In the News: GitHub rotates exposed SSH key to protect users

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>