Tenable researchers have identified a collection of vulnerabilities within the OpenAI ChatGPT ecosystem, which they have named HackedGPT. These security flaws exposed a method for leaking private user data and facilitating account takeovers on third-party websites through the manipulation of ChatGPT plugins.

The investigation revealed that the vulnerabilities could be exploited by an attacker who creates a malicious plugin and persuades a user to install it from the ChatGPT plugin store. Once installed, this plugin could then interact with other plugins used by the same user without their knowledge or consent, leading to the exfiltration of sensitive information.

The HackedGPT Attack Chain

The primary attack vector demonstrated by Tenable involved a malicious plugin designed to perform unauthorized actions. After a user installed the proof-of-concept (PoC) plugin, it was able to send requests to other legitimate plugins installed by the victim. This cross-plugin request forgery allowed the malicious plugin to access data and functions from services connected to the user’s ChatGPT account.

In one specific demonstration, the researchers’ malicious plugin targeted the ‘AskTheCode’ plugin to access and exfiltrate data from a user’s private GitHub repository. The attack successfully retrieved files, including private keys and user data, by leveraging the authorized connection between ChatGPT and the user’s GitHub account.

Data Exfiltration and Account Takeover Impact

The research team confirmed several significant impacts of the HackedGPT vulnerabilities. The attack chain made it possible to steal a user’s entire conversation history from their ChatGPT account. The PoC successfully retrieved and exfiltrated these conversations to an external server controlled by the researchers.

Furthermore, the vulnerabilities were used to perform an account takeover on a third-party website. The researchers targeted a vulnerable plugin for a domain registrar, name.com, which used an OAuth authentication flow. The malicious plugin was able to intercept the OAuth code during the login process, allowing the attacker to gain full control over the victim’s account on the external website. Tenable responsibly disclosed its findings to OpenAI, which subsequently implemented mitigations to address the reported issues.