Researchers warn users to stop using the EmailGPT service due to an unpatched security vulnerability. Exploiting the flaw potentially results in various security threats from data exposure to system crashes and monetary losses.
EmailGPT Extension Vulnerability Threatens Users
Sharing the details in a recent post, Synopsys Cybersecurity Research Center (CyRC) researchers highlighted how a severe security flaw in EmailGPT risks users’ security.
EmailGPT is an AI-powered email generating API and browser extension. Leveraging OpenAI’s GPT, it allows users quickly create email drafts and replies via prompts generated on the basis of the previous user communications.
As elaborated, the researchers discovered numerous prompt injection vulnerabilities that an adversary could exploit to take over the service logic. Consequently, the attackers may force the service to leak hardcoded system prompts and execute malicious prompts.
Regarding the impact of such exploits, the researchers mention about the users suffering financial losses due to repeated malicious prompts which an attacker may generate to the API that works on a pay-per-use model. Moreover, an attacker may also inject malicious prompts causing the service to leak sensitive user information, or even trigger denial of service.
This vulnerability, identified as CVE-2024-5184, received a medium severity rating and a CVSS score of 6.5, according to CyRC advisory.
No Patch Available Yet
According to the timeline shared in the advisory, the researchers first attempted to contact the EmailGPT developers and report the flaw in February 2024, followed by multiple attempts for the same. However, despite their effort, the researchers received no response from the service regarding vulnerability fixes.
Consequently, upon completion of the standard 90-day disclosure period, the researchers went ahead with public disclosure.
For now, there exists no viable patch or mitigation for the vulnerability. Given the threats associated with potential exploitation, the researchers advise users to stop using the EmailGPT service (API and browser extension) until a fix arrives.
Let us know your thoughts in the comments.
