Recently, a critical security vulnerability was discovered in ChatGPT by an independent security analyst and bug hunter, Nagli (@naglinagli), that allow attackers to easily gain complete control of any ChatGPT user’s account. ChatGPT, released publicly just two months ago, has become an increasingly used platform both across individual users and amongst businesses and organizations.
As a result, OpenAI, a Microsoft-backed firm, has created a bug bounty program to address any major security issues reported by researchers. One such bug, reported by Nagli himself, is a web cache deception attack which can be used to conduct Account TakeOvers (ATOs) on the platform.
Web cache deception was first introduced by Omer Gil at the Blackhat USA conference in 2017, and involves manipulating a server into storing a web cache by providing a non-existent URL. These URLs are then passed to victims via a variety of ways, and when visited by the attacker, reveals sensitive pieces of information.
OpenAI was quick to respond to Nagli’s report and managed to resolve the issue within hours. However, there are reports of hackers selling premium ChatGPT accounts on the dark web. The European Data Protection Board has created a task force to investigate ChatGPT and there has been some speculation of the platform being potentially used to write ransomware.
Nagli, the bug hunter and security analyst, is a Somalia native and experienced bug bounty hunter who has uncovered several critical security issues in the past few years. He aims to resolve such issues and help protect the public from any potential exploitations.
