Openai’s Chatgpt Application Programming Interface (API) has a vulnerability that can be exploited to initiate a distributed denial of service (DDOS) Attack on websites, according to details shared by a Cyberesales The chatbot can reportedly be used to send thousands of network requests to a website using the chatgpt crawler. The researcher claims that the vulnerability, which was given a high severity rating, is still active with no response from the company on when the issue will be fixed.
Chatgpt API Allows Multiple Parallel Network Requests to Same Website
In a github post Shared earlier this month, Germany-Based Security Researcher Benjamin Flesch Detailed The Vulnerability that Exists with the Chatgpt API. The researcher also posted code for a proof of concept that sends 50 parallel http requests to a test website, revealing how the bug can be used to tryigger a ddos attack.
According to the Vulnerability Surfaces when Handling http post requests to https://chatgpt.com/backend-api/ATtribations. It is a method to send data to a server, typically used by the api endpoint to create new resources. While Executing this function, the chatgpt api requires a list of hyperlinks in the url parameter.
In what appears to be a flw in its api, Openai Does not check wheether a hyperlink to the same resource appears multiple times in the list, according to the resultarcher. Since Hyperlinks to a website can be written in different ways, this results in the crawler sending multiple network requests to the same website. Additional, Flesch Claims Openai does not enforce a limit on the maximum number of hyperlinks that can be added to the url parameter and synt in a single request.
As a result, a malicious actor can potentially sents of hits to a website, which could Quickly overwhelm its server. The Security Researcher Gave This Vulnerability a High Sever “8.6 CVSS” Rating Since it is network-based, has low complexity in Execution, and requires no privateges or use Impact on available.
Flesch claimed to have reacted out to bot openai and Microsoft (as it is servers host the chatgpt api) About the vulnerability multiple times via different channels after discovering the bug in janury. He Claimed that he reported it to the openai Security Team, Openai Employees Via Reports, The Openai Data Privacy Officer, as Well as Microsoft’s Security and Azure Network Operations TEAM.
Despite Making Several Attempts to Flag The Vulnerability, The Researcher Claimed that is the issue is Neither Resolved Nor Has the Ai Firm ACKNOWLEDGED ITS EXISTENCE. Gadgets 360 Staff Members were not able to verify the presence of the bug on the chatbot.
