Home > Tech

ChatGPT has a scary security risk after new update. Is your data in trouble?

The introduction of file uploading in ChatGPT Plus is creating some unfortunate future problems.
By Chance Townsend  on 
Share on Facebook Share on Twitter Share on Flipboard
RGB overlay of the ChatGPT logo
Credit: Mashable / Bob Al-Greene

Thanks to new ChatGPT updates like the Code Interpreter, OpenAI's popular generative artificial intelligence is rife with more security concerns. According to research from security expert Johann Rehberger (and follow-up work from Tom's Hardware), ChatGPT has glaring security flaws that stem from its new file-upload feature.

OpenAI's recent update to ChatGPT Plus added a myriad of new features, including DALL-E image generation and the Code Interpreter, which allows Python code execution and file analysis. The code is created and run in a sandbox environment that is unfortunately vulnerable to prompt injection attacks.

SEE ALSO: OpenAI's Sam Altman breaks silence on AI executive order

A known vulnerability in ChatGPT for some time now, the attack involves tricking ChatGPT into executing instructions from a third-party URL, leading it to encode uploaded files into a URL-friendly string and send this data to a malicious website. While the likelihood of such an attack requires specific conditions (e.g., the user must actively paste a malicious URL into ChatGPT), the risk remains concerning. This security threat could be realized through various scenarios, including a trusted website being compromised with a malicious prompt — or through social engineering tactics.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

Tom's Hardware did some impressive work testing just how vulnerable users may be to this attack. The exploit was tested by creating a fake environment variables file and using ChatGPT to process and inadvertently send this data to an external server. Although the exploit's effectiveness varied across sessions (e.g., ChatGPT sometimes refused to load external pages or transmit file data), it raises significant security concerns, especially given the AI's ability to read and execute Linux commands and handle user-uploaded files in a Linux-based virtual environment.

Related Stories

As Tom's Hardware states in its findings, despite seeming unlikely, the existence of this security loophole is significant. ChatGPT should ideally not execute instructions from external web pages, yet it does. Mashable reached out to OpenAI for comment, but it did not immediately respond to our request.

Topics Artificial Intelligence ChatGPT OpenAI

Headshot of a Black man
Chance Townsend
Assistant Editor, General Assignments

Currently residing in Austin, Texas, Chance Townsend is an Assistant Editor at Mashable covering tech, entertainment, dating apps, and whatever else comes his way. He has a Master's in Journalism from the University of North Texas and is the proud father of one orange cat.

In his free time, he cooks, loves to sleep, and "enjoys" watching the Lions and Pistons break his heart weekly. If you have any stories, tips, recipes, or wanna talk shop about Detroit sports you can reach him at [email protected]

Recommended For You
Walmart+ Week is coming: What to know about the members-only event
By Samantha Mangino
A graphic that says Walmart+ Week, June 17-23
Prime Day 2024 is coming: These are the best deals to watch out for
By Mashable Shopping Team
Glowing cardboard box on a blue background
30+ of the best outdoor deals to shop while Memorial Day sales are still going
By Lauren Allain
a collage of outdoor items sit on a pink and orange background. They include a green REI hiking backpack, a north face tent, a blue hydro flask cooler backpack, and a solo stove.
Many Amazon Memorial Day Sale prices are still live and packed with deals on tech, summer prep, home goods, and more
By Lauren Allain and Samantha Mangino
an amazon kindle scribe, a pair of white beats studio earbuds, a pink hydro flash water bottle with pink straw, and a black traeger barbecue all sit on a light blue background that has lighter blue streaks running though it diagonally
Walmart's Memorial Day sale is still live — here are the standouts
By Bethany Allard and Christina Buff
two women sitting on couch with jbl charge 5 speaker
Trending on Mashable
NYT Connections today: See hints and answers for May 30
By Mashable Team
A phone displaying the New York Times game 'Connections.'
'Wordle' today: Here's the answer hints for May 30
By Mashable Team
a phone displaying Wordle
Meta is using your posts to train AI. It's not easy to opt out.
By Cecily Mauran
Instagram, Facebook, and WhatsApp icons on a smartphone screen
Ticketmaster hacked. Breach affects more than half a billion users.
By Matt Binder
Ticketmaster website
Google Search algorithm documents have leaked. Here's what experts are saying.
By Matt Binder
Google seach
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!