ChatGPT has gained popularity since the end of 2022, for bringing a natural language that allows you to obtain responses and tasks from different segments, only through textual commands – the so-called “prompts”.
However, like all technological innovation, digital security also comes into focus here, since interactions demand high protection against threats. The first major challenge in this area came last week, with a chatbot data leak. Detective TechSmart explains the details.
The data leak originates from a failure, which occurred between 5:00 am and 2:00 pm on the last March 20th – a Monday. The bug allegedly occurred in an open source ChatGPT library, which allowed some individuals to view chat history titles of other active users at the same time.
At the time, new chatbot users also started to receive subscription confirmation emails for the “Plus” version with wrong data. The vulnerability caused OpenAI to shut down its servers, which took the AI tool offline during the process.
Although this occurred on the 20th, the discovery came only on March 24th, by cybersecurity expert GreyNoise. The company identified that there were effects of a flaw exploited in a component inserted a short time ago, for collecting information by plugins.
According to the report, code samples delivered by OpenAI to customers through the plugins indicate an image damaged by the vulnerability, dated March 17, 2022.
The security flaw in question consists of CVE-2023-28432, a loophole that is capable of providing root passwords and sensitive keys, and would have already suffered exploitation attempts.
“While we have no information suggesting that any specific actor is targeting example instances of ChatGPT, we do observe this vulnerability being actively exploited in the wild. When attackers attempt mass identification and mass exploitation of vulnerable services, ‘everything’ is in scope, including any deployed ChatGPT plugins that utilize this outdated version of MinIO.”
graynoise
OpenAI’s confirmation came almost a week after it happened – and after it was discovered by GreyNoise. According to investigations, the data exposure included the chat history titles of active users, as well as the initial message of conversations.
In addition, the developer revealed that payment information was also exposed, but without affecting 100% of users. Those affected include 1.2% of the ChatGPT Plus subscriber base – the paid plan that allows benefits such as queue-free access and faster responses.
Even with the statement, OpenAI did not disclose the number of individuals affected by the incident. However, in addition to the 9 hours of exposure on March 20, the company does not rule out that leaks also occurred on previous days.
What data was leaked?
- User’s first and last name
- Email address
- payment address
- Credit card expiration date
- Last 4 digits of credit card number
It is clear that digital security will be an even greater concern for ChatGPT users from this moment on, as it should be when using any online service. However, how can users prevent themselves from further exposure issues?
Given the sequence of events during the leak, some basic precautions can be taken. One of them is in relation to the first message sent in the conversation with the bot. It is worth avoiding putting sensitive information in it, which does not compromise the user in case a new exploitation occurs in the future.
It is also worth using a virtual card – if your broadcaster offers this possibility – in the tool’s subscriptions – as well as in other services. So, if it is leaked, just cancel it and generate another number to be sure that misuse will not happen in the future.
OpenAI said in its statement that it has taken steps to avoid future problems in the area of cybersecurity. See the changes:
“We have extensively tested our fix for the bug;
Added redundant checks to ensure data returned by our Redis cache [onde resultou o problema na biblioteca de código aberto] match the requesting user;
We programmatically examine our logs to ensure that all messages are only available to the correct user;
We correlate multiple data sources to accurately identify affected users so that we can notify them;
We’ve improved the log to identify when this is happening and confirm that it has stopped altogether;
We have improved the robustness and scale of our enhanced Redis cluster to reduce the likelihood of connection errors under extreme loads.”
OpenAI
So, what is your assessment of the data leak that occurred in ChatGPT? Interact with us!
