CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Indirect Prompt Injection Vulnerabilities in ChatGPT Models

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Researchers from Tenable discovered seven vulnerabilities in OpenAI's ChatGPT models (GPT-4o and GPT-5) that enable attackers to extract personal information from users' memories and chat histories. These vulnerabilities allow for indirect prompt injection attacks, which manipulate the AI's behavior to execute unintended or malicious actions. OpenAI has addressed some of these issues, but several vulnerabilities persist. The vulnerabilities include indirect prompt injection via trusted sites, zero-click indirect prompt injection in search contexts, and prompt injection via crafted links. Other techniques involve bypassing safety mechanisms, injecting malicious content into conversations, hiding malicious prompts, and poisoning user memories. The vulnerabilities affect the 'bio' feature, which allows ChatGPT to remember user details and preferences across chat sessions, and the 'open_url' command-line function, which leverages SearchGPT to access and render website content. Attackers can exploit the 'url_safe' endpoint by using Bing click-tracking URLs to lure users to phishing sites or exfiltrate user data. These findings highlight the risks associated with exposing AI chatbots to external tools and systems, which expand the attack surface for threat actors. The vulnerabilities stem from how ChatGPT ingests and processes instructions from external sources, allowing attackers to exploit these flaws through various methods. The most concerning issue is a zero-click vulnerability, where simply asking ChatGPT a benign question can trigger an attack if the search results include a poisoned website.

Timeline

  1. 05.11.2025 16:04 3 articles · 5d ago

    Indirect Prompt Injection Vulnerabilities in ChatGPT Models Disclosed

    The vulnerabilities affect the 'bio' feature, which allows ChatGPT to remember user details and preferences across chat sessions. The 'open_url' command-line function in ChatGPT leverages SearchGPT to access and render website content, which can be exploited for prompt injection. The 'url_safe' endpoint in ChatGPT treats bing.com as a safe domain, allowing attackers to use specially crafted Bing URLs to exfiltrate user data. Attackers can exploit the 'url_safe' endpoint by using Bing click-tracking URLs to lure users to phishing sites. The 'conversation injection' method involves getting SearchGPT to provide ChatGPT with a response that includes a prompt to be executed by ChatGPT. Attackers can hide malicious prompts from users by adding them to code blocks. Tenable researchers demonstrated end-to-end attacks using these vulnerabilities, including exfiltrating user data and injecting malicious memories. Some of these attack methods still work against the latest GPT-5 model, despite OpenAI's patches.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Google Gemini AI Vulnerabilities Allowing Prompt Injection and Data Exfiltration

Researchers disclosed three vulnerabilities in Google's Gemini AI assistant that could have exposed users to privacy risks and data theft. The flaws, collectively named the Gemini Trifecta, affected Gemini Cloud Assist, the Search Personalization Model, and the Browsing Tool. These vulnerabilities allowed for prompt injection attacks, search-injection attacks, and data exfiltration. Google has since patched the issues and implemented additional security measures. The vulnerabilities could have been exploited to inject malicious prompts, manipulate AI behavior, and exfiltrate user data. The flaws highlight the potential risks of AI tools being used as attack vectors rather than just targets. The Gemini Search Personalization model's flaw allowed attackers to manipulate AI behavior and leak user data by injecting malicious search queries via JavaScript from a malicious website. The Gemini Cloud Assist flaw allowed attackers to execute instructions via prompt injections hidden in log content, potentially compromising cloud resources and enabling phishing attacks. The Gemini Browsing Tool flaw allowed attackers to exfiltrate a user's saved information and location data by exploiting the tool's 'Show thinking' feature. Google has made specific changes to mitigate each flaw, including rolling back vulnerable models, hardening search personalization features, and preventing data exfiltration from browsing in indirect prompt injections.

Open in new tab

ShadowLeak: Undetectable Email Theft via AI Agents

A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.

Open in new tab

Growing threat landscape for AI agents and non-human identities

The rapid adoption of AI agents and non-human identities (NHIs) presents significant security challenges. These entities are increasingly targeted by adversaries, with known attack vectors growing rapidly. The unique characteristics of AI agents, such as autonomy and extensive access, exacerbate these risks. Security experts warn of a closing window of opportunity to secure these tools and data. The threat landscape includes data poisoning, jailbreaking, prompt injection, and the exploitation of abandoned agents. Recent research highlights the potential for malicious proxy settings and zero-click vulnerabilities. Proactive measures are essential to mitigate these risks and build robust defenses.

Open in new tab

AI Browsers Vulnerable to PromptFix Exploit for Malicious Prompts

AI-driven browsers are vulnerable to a new prompt injection technique called PromptFix, which tricks them into executing malicious actions. The exploit embeds harmful instructions within fake CAPTCHA checks on web pages, leading AI browsers to interact with phishing sites or fraudulent storefronts without user intervention. This vulnerability affects AI browsers like Perplexity's Comet, which can be manipulated into performing actions such as purchasing items on fake websites or entering credentials on phishing pages. The technique leverages the AI's design goal of assisting users quickly and without hesitation, leading to a new form of scam called Scamlexity. This involves AI systems autonomously pursuing goals and making decisions with minimal human supervision, increasing the complexity and invisibility of scams. The exploit can be triggered by simple instructions, such as 'Buy me an Apple Watch,' leading the AI browser to add items to carts and auto-fill sensitive information on fake sites. Similarly, AI browsers can be tricked into parsing spam emails and entering credentials on phony login pages, creating a seamless trust chain for attackers. Guardio's tests revealed that agentic AI browsers are vulnerable to phishing, prompt injection, and purchasing from fake shops. Comet was directed to a fake shop and completed a purchase without human confirmation. Comet also treated a fake Wells Fargo email as genuine and entered credentials on a phishing page. Additionally, Comet interpreted hidden instructions in a fake CAPTCHA page, triggering a malicious file download. AI firms are integrating AI functionality into browsers, allowing software agents to automate workflows, but enterprise security teams need to balance automation's benefits with the risks posed by the fact that artificial intelligence lacks security awareness. Security has largely been put on the back burner, and AI browser agents from major AI firms failed to reliably detect the signs of a phishing site. Nearly all companies plan to expand their use of AI agents in the next year, but most are not prepared for the new risks posed by AI agents in a business environment. Until the security aspect of agentic AI browsers reaches a certain level of maturity, it is advisable to avoid assigning sensitive tasks to them and to manually input sensitive data when needed.

Open in new tab

Zero-click exploit targets AI enterprise agents

AI enterprise agents, integrated with various enterprise environments, are vulnerable to zero-click exploits. Attackers can take over these agents using only a user's email address, gaining access to sensitive data and manipulating users. The exploit affects major AI assistants from Microsoft, Google, OpenAI, Salesforce, and others. Organizations must adopt dedicated security programs to manage ongoing risks associated with AI agents. Current security approaches focusing on prompt injection have proven ineffective. The exploit highlights the need for defense-in-depth strategies and hard boundaries to mitigate risks. Organizations are advised to assume breaches and apply lessons learned from past security challenges.

Open in new tab