OpenAI-owned ChatGPT might have a vulnerability that could allow threat actors to launch distributed denial of service (DDoS) attacks on unsuspecting targets. According to a discovery made by German security researcher Benjamin Flesch, the ChatGPT crawler, which OpenAI uses to collect data from the internet to improve ChatGPT, can be tricked into DDoSing arbitrary websites. “ChatGPT crawler can be triggered to DDoS a victim website via HTTP request to unrelated ChatGPT API,” Flesch said in a Github repo with a POC. “This defect in OpenAI software will spawn a DDoS attack on the victim website, utilizing multiple Microsoft Azure IP address ranges on which ChatGPT crawler is running.” Flesch said the discovery was made in January 2025, and was since brought to OpenAI as well as Microsoft’s knowledge, neither of whom have yet acknowledged the flaw’s existence. Flesch pointed out that the ChatGPT API has a significant flaw when processing HTTP POST requests at its attributions endpoint. The API requires a list of URLs but fails to check for duplicate hyperlinks or enforce a limit on their numbers, allowing potentially thousands of hyperlinks in a single HTTP request. “It is commonly known that hyperlinks to the same website can be written in many different ways,” Flesch said. “Due to bad programming practices, OpenAI does not check if a hyperlink to the same resource appears multiple times in the list.” The API processes each hyperlink in a POST request individually, using Microsoft Azure servers, leading to numerous simultaneous connection attempts to the target site. The resulting large volume of connections from the OpenAI servers can potentially overwhelm the targeted website.
The same API is open to prompt injection attacks
According to another disclosure made by Flesch, the same API is also vulnerable to prompt injection attacks. The problem stems from the API accepting “urls” parameter containing text commands for their LLM. This could be exploited to make the crawler answer queries through the API, allowing it to respond to questions instead of simply fetching websites as intended. “Due to a large number of prompts that can be submitted via the urls parameter, this software defect could be further utilized to slow down the OpenAI servers,” Felsch added. While acknowledgment and enumeration of the flaws are still awaited, Felsch placed the DDoS enabling flaw’s severity at 8.6 out of 10 on the CVSS scale, owing to its network-based nature, low complexity, absence of privilege requirement or user interaction, and high impact of availability of services. Queries sent to OpenAI for acknowledgment and other flaw details received no responses until the publishing of this article.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3806556/chatgpt-api-flaws-could-allow-ddos-prompt-injection-attacks.html
