A severe security vulnerability in OpenAI’s ChatGPT exposed users’ conversations, payment details, and other data. OpenAI disclosed details about the bug after ChatGPT exhibited a massive outage last week.
OpenAI Confirmed ChatGPT Vulnerability Exposing Data
On March 20, 2023, OpenAI’s ChatGPT experienced a global outage, triggering concerns from the users. However, it emerged as deliberate from the vendors after discovering a serious bug in the service.
According to the details shared in a post, OpenAI pulled offline ChatGPT after noticing a vulnerability that could breach users’ privacy.
Specifically, the flaw affected the Redis client open-source library that exposed chat messages and titles from active users’ conversations to each other. ChatGPT uses this library for caching users’ information, connection recycling during requests and maintaining the shared pool of connections, and load distribution over multiple Redis instances.
As revealed, the vulnerability appeared when an incoming request would cancel after reaching the queue and before an outcoming response could pop up.
If a request is canceled after the request is pushed onto the incoming queue, but before the response popped from the outgoing queue, we see our bug: the connection thus becomes corrupted and the next response that’s dequeued for an unrelated request can receive data left behind in the connection.
While the result in such cases was mainly a server error, in a few cases, the user would see cached data from an unrelated user.
In most cases, this results in an unrecoverable server error, and the user will have to try their request again.
But in some cases the corrupted data happens to match the data type the requester was expecting, and so what gets returned from the cache appears valid, even if it belongs to another user.
The bug appeared for a 9-hour window – between 1 am and 10 am (Pacific time) on March 20, 2023. Besides exposing users’ conversations, the vulnerability also exposed payment details of paid subscribers to other users. This could be a sensitive issue since the leaked details included full names, email addresses, billing addresses, last four digits of credit card numbers, and card expiration dates.
OpenAI Patched The Bug
Following this discovery, OpenAI pulled ChatGPT offline and started working on a fix. They patched the vulnerability and deployed additional security checks to ensure that the users got the desired response to their requests. The firm also identified the users affected by this vulnerability to inform them about the issue.
The service also appreciated Redis for promptly fixing the vulnerability for ChatGPT users.
Nonetheless, while the vulnerability has been fixed, users, mainly the paid subscribers, may consider contacting their banks for appropriate monitoring to avoid possible malicious transactions.
Let us know your thoughts in the comments.