According to detailed information from cybersecurity researchers, OpenAI’s ChatGpt Application Programming Interface (API) has a vulnerability that can be exploited to launch a distributed denial of service (DDOS) attack on a website. Chatbots are reportedly available to send thousands of network requests to websites using Chatgpt Crawler. The researchers claim that the vulnerability given a high severity rating remains active, and the company has not responded to when the problem will be resolved.
The CHATGPT API allows multiple parallel network requests to the same website
In a GitHub post shared earlier this month, Germany-based security researcher Benjamin Flesch detailed the vulnerability present in the Chatgpt API. The researchers also released code for a proof of concept that sent 50 parallel HTTP requests to the test site and revealed how the error was used to trigger a DDOS attack.
According to Flesch, a vulnerability in handling http POST requests surfaced. This is a way to send data to a server, which is usually used by API endpoints to create new resources. When performing this function, the ChatGPT API requires a list of hyperlinks in the URL parameters.
According to the researchers, it seems to be a flaw in its API, OpenAI does not check if there are multiple hyperlinks in the list that are hyperlinked to the same resource. Since hyperlinks to websites can be written in different ways, this causes crawling to send multiple parallel network requests to the same website. Additionally, Flesch claims OpenAI do not force a limit on the maximum number of hyperlinks that can be added to the URL parameters and sent in a single request.
As a result, a malicious actor could send thousands of hits to the website, which could quickly flood their servers. Security researchers gave this vulnerability a highly severity “8.6 CVSS” rating because it is network-based, has low execution, and does not require privileges or user interaction, but can have a high impact on availability.
Flesch claims to have been linked to OpenAI and Microsoft, whose server hosts Chatgpt API hosting, the vulnerability has been through different channels several times after the bug was discovered in January. He claimed that he reported to the OpenAI security team, OpenAI staff through reports, OpenAI data privacy officer, and Microsoft’s security and Azure network operations team.
Despite several attempts to mark vulnerabilities, researchers claim the problem was neither resolved nor AI companies acknowledged its existence. Tech Word News staff members were unable to verify errors in chatbots.
