OpenAI’s ChatGPT crawler appears to be attempting to launch distributed denial-of-service (DDoS) attacks against arbitrary websites, a vulnerability that the tech giant has reportedly yet to acknowledge.
In an article shared this month via Microsoft’s GitHub, German security researcher Benjamin Flesch uses a single HTTP request to the ChatGPT API to target network requests from ChatGPT crawlers, specifically ChatGPT. It explains how to bulk send to a website. user.
This flood of connections may or may not be enough to destroy a particular site in practical terms, but it’s still dangerous and definitely a bit of an oversight by OpenAI. It can be used to repeatedly amplify a single API request to a selected victim’s website from 20 to over 5,000 requests per second.
“The ChatGPT API exhibits significant quality deficiencies when processing HTTP POST requests to https://chatgpt.com/backend-api/attributions,” Flesch explained in the advisory, adding that the web source I’m referring to the API endpoint called by OpenAI’s ChatGPT to return information. Quoted in the chatbot output. When ChatGPT mentions a particular website, it calls an attribution containing a list of URLs to those sites for crawlers to access and retrieve information about.
If you throw a big long list of URLs to the API, each slightly different but all pointing to the same site, the crawler will kick in and hit all the URLs at once.
“The API requires a list of hyperlinks in the parameter URL. It is well known that hyperlinks to the same website can be written in different ways,” Flesch wrote.
“Due to poor programming practices, OpenAI does not check whether hyperlinks to the same resource appear multiple times in the list. Also, OpenAI does not limit the maximum number of hyperlinks stored in the urls parameter. This allows the sending of large numbers of hyperlinks, potentially thousands of hyperlinks within a single HTTP request. ”
Victims never know what hit them
Therefore, an attacker could use a tool like Curl to send an HTTP POST request to that ChatGPT endpoint without requiring an authentication token, and the OpenAI server in Microsoft Azure would Initiates and responds to an HTTP request for the hyperlink ( ) Parameters in the request. If these requests are sent to the same website, they can overwhelm the target and cause DDoS symptoms. Crawlers proxied by Cloudflare access your target site from a different IP address each time.
“Victims will never know what hit them, they just see the ChatGPT bot accessing the website from about 20 different IP addresses at the same time,” Flesch told The Register. If the victim had enabled a firewall to block the IP address range used by the website, he added. For ChatGPT bots, the bot will continue to send requests.
“Thus, if one request fails or is blocked, it does not prevent the ChatGPT bot from requesting the victim’s website again within the next millisecond.”
“This amplification allows the attacker to send a small number of requests to the ChatGPT API, but the victim receives a significant number of requests,” Flesch explained.
Flesch reported this unauthenticated reflective DDoS vulnerability through numerous channels, including OpenAI’s BugCrowd vulnerability reporting platform, OpenAI’s security team email, Microsoft (including Azure), and HackerOne, but never heard anything. He says he didn’t listen.
The Register reached out to Microsoft-backed OpenAI twice but did not hear back.
“The bigger story is that this API was also vulnerable to prompt injection,” he said, referring to another vulnerability disclosure. “Why would they need to be injected into such a simple task on the fly? Maybe it’s because they’re dogfooding autonomous ‘AI agents’.”
Exploiting the second issue allows crawlers to respond to queries through the same Attribution API endpoint. When you send a question to the bot, it can answer it even when it shouldn’t. You should just get a website.
Flesch asked why OpenAI’s bots don’t implement simple, well-established methods to properly deduplicate URLs in the requested list or limit the size of the list, and why the main I wondered if the prompt injection vulnerability addressed in the ChatGPT interface could be avoided.
“This little API seems to me like a sample project for the ChatGPT AI agent. Its task is to parse a URL from user-provided data and retrieve a website using Azure.” he said.
“Don’t ‘AI agents’ have security built in?” he asked. “Apparently the ‘AI agent’ that was handling the urls() parameter had no concept of resource exhaustion, and why it would be foolish to send thousands of requests to the same web domain in the same second.” I didn’t understand.
“Shouldn’t we have realized that victim.com/1 and Victory.com/2 point to the same website Victory.com? Also, if the victim.com/1 request fails, why should Victory Does it send a request to .com/ 2 immediately after that?
“These are all little validation logics that people have been implementing in software for years to prevent exploits like this.”
According to Flesch, the only explanation that comes to mind is that OpenAI is using an AI agent to trigger these HTTP requests.
“It’s hard to imagine highly paid Silicon Valley engineers designing software like this, because the ChatGPT crawler, like the Google crawler, has been crawling the web for years,” he said. “If a crawler does not limit the amount of requests to the same website, it will be immediately blocked.” ®
