The team at Tenable Research unearthed seven distinct security flaws, demonstrating how attackers could exploit these weaknesses using proof-of-concept attacks. These attacks include phishing schemes, data exfiltration, and even establishing persistent footholds within the AI’s memory. The implications are substantial, given the millions of users who interact with these Large Language Models (LLMs) daily.
At the heart of the problem lies prompt injection, a technique where malicious instructions are surreptitiously fed to the AI. Tenable’s research focused on a particularly insidious variant: indirect prompt injection. This involves hiding malicious commands within external sources that ChatGPT consults during its operations.
The report highlights two primary attack vectors:
- Hidden in Comments: A malicious prompt can be embedded within the comment section of a seemingly innocuous blog post. If a user asks ChatGPT to summarize that blog, the AI unwittingly executes the hidden instruction.
- Zero-Click Attack via Search: Perhaps the most alarming scenario, this involves attackers creating specially crafted websites that, once indexed by search engines, can compromise users simply by asking ChatGPT a question. The AI discovers the hidden instruction without the user ever clicking a link.
The research also exposed methods for circumventing ChatGPT’s built-in safety mechanisms and ensuring that attacks have lasting consequences.
Here’s how attackers are achieving this:
- Safety Bypass: The url_safe feature, designed to block malicious links, can be bypassed by leveraging trusted domains like Bing.com. Attackers can use tracking links from these domains to covertly transmit private user data.
- Self-Tricking AI: Through Conversation Injection, attackers can manipulate the AI into deceiving itself, obscuring the malicious activity from the user by exploiting a bug in how code blocks are displayed.
- Memory Injection: The most serious vulnerability is Memory Injection. This allows attackers to permanently store malicious prompts within the user’s “memories”—private data retained across chats. This creates a persistent threat, causing continuous data leakage with every interaction.
These vulnerabilities, present in both ChatGPT 4o and GPT-5, underscore a fundamental challenge for AI security. While OpenAI has been notified and is working on fixes, prompt injection remains a persistent issue for LLMs.
James Wickett, CEO of DryRun Security, emphasized the severity of the situation. “Prompt injection is the leading application security risk for LLM-powered systems for a reason,” Wickett told Hackread.com. “The recent research on ChatGPT shows how easy it is for attackers to slip hidden instructions into links, markdown, ads, or memory and make the model do something it was never meant to do.”
“Even OpenAI could not prevent these attacks completely, and that should be a wake-up call,” warns Wickett.
Wickett further stressed that context-based risks, such as prompt injection, necessitate innovative security solutions that consider both the code and the environment in which it operates.
The discovery of these ChatGPT vulnerabilities serves as a stark reminder that even the most advanced AI systems are susceptible to exploitation. As LLMs become increasingly integrated into our daily lives, addressing these security flaws will be critical to ensuring user privacy and data security.
