OpenAI's ChatGPT crawler can be tricked into DDoSing sites, answering your queries
- Reference: 1737313394
- News link: https://www.theregister.co.uk/2025/01/19/openais_chatgpt_crawler_vulnerability/
- Source link:
In a [1]write-up shared this month via Microsoft's GitHub, Benjamin Flesch, a security researcher in Germany, explains how a single HTTP request to the ChatGPT API can be used to flood a targeted website with network requests from the ChatGPT crawler, specifically [2]ChatGPT-User .
This flood of connections may or may not be enough to knock over any given site, practically speaking, though it's still arguably a danger and a bit of an oversight by OpenAI. It can be used to amplify a single API request into 20 to 5,000 or more requests to a chosen victim's website, every second, over and over again.
[3]
"ChatGPT API exhibits a severe quality defect when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions ," Flesch explains in his advisory, referring to an API endpoint called by OpenAI's ChatGPT to return information about web sources cited in the chatbot's output. When ChatGPT mentions specific websites, it will call attributions with a list of URLs to those sites for its crawler to go access and fetch information about.
[4]
[5]
If you throw a big long list of URLs at the API, each slightly different but all pointing to the same site, the crawler will go off and hit every one of them at once.
"The API expects a list of hyperlinks in parameter urls . It is commonly known that hyperlinks to the same website can be written in many different ways," Flesch wrote.
[6]
"Due to bad programming practices, OpenAI does not check if a hyperlink to the same resource appears multiple times in the list. OpenAI also does not enforce a limit on the maximum number of hyperlinks stored in the urls parameter, thereby enabling the transmission of many thousands of hyperlinks within a single HTTP request."
The victim will never know what hit them
Thus, using a tool like Curl, an attacker can send an HTTP POST request – without any need for an authentication token – to that ChatGPT endpoint and OpenAI's servers in Microsoft Azure will respond by initiating an HTTP request for each hyperlink submitted via the urls[] parameter in the request. When those requests are directed to the same website, they can potentially overwhelm the target, causing DDoS symptoms – the crawler, proxied by Cloudflare, will visit the targeted site from a different IP address each time.
"The victim will never know what hit them, because they only see ChatGPT bot hitting their website from about 20 different IP addresses simultaneously," Flesch told The Register , adding that if the victim enabled a firewall to block the IP address range used by the ChatGPT bot, the bot would still send requests.
"So one failed/blocked request would not prevent the ChatGPT bot from requesting the victim website again in the next millisecond."
"Due to this amplification, the attacker can send a small number of requests to ChatGPT API, but the victim will receive a very large number of requests," Flesch explained.
[7]
Flesch says he reported this unauthenticated reflective DDoS vulnerability through numerous channels – OpenAI's BugCrowd vulnerability reporting platform, OpenAI's security team email, Microsoft (including Azure) and HackerOne – but has heard nothing.
The Register reached out twice to Microsoft-backed OpenAI and we've not heard back.
[8]Microsoft eggheads say AI can never be made secure – after testing Redmond's own products
[9]Just as your LLM once again goes off the rails, Cisco, Nvidia are at the door smiling
[10]Google reports halving code migration time with AI help
[11]AI datacenters putting zero emissions promises out of reach
"I'd say the bigger story is that this API was also vulnerable to prompt injection," he said, in reference to a separate [12]vulnerability disclosure . "Why would they have prompt injection for such a simple task? I think it might be because they're dogfooding their autonomous 'AI agent' thing."
That second issue can be exploited to make the crawler answer queries via the same attributions API endpoint; you can feed questions to the bot, and it can answer them, when it's really not supposed to do that; it's supposed to just fetch websites.
Flesch questioned why OpenAI's bot hasn't implemented simple, established methods to properly deduplicate URLs in a requested list or to limit the size of the list, nor managed to avoid prompt injection vulnerabilities that have been addressed in the main ChatGPT interface.
"To me it seems like this small API is an example project of their ChatGPT AI agents, and its task is to parse a URL out of user-provided data and then use Azure to fetch the website," he said.
"Does the 'AI agent' not come with built-in security?" he asked. "Because obviously the 'AI agent' thing that was handling the urls[] parameter had no concept of resource exhaustion, or why it would be stupid to send thousands of requests in the same second to the same web domain.
"Shouldn't it have recognized that victim.com/1 and victim.com/2 point to the same website victim.com and if the victim.com/1 request is failing, why would it send a request to victim.com/2 immediately afterwards?
"These are all small pieces of validation logic that people have been implementing in their software for years, to prevent abuse like this."
Flesch said the only explanation that comes to mind is that OpenAI is using an AI Agent to trigger these HTTP requests.
"I cannot imagine a highly-paid Silicon Valley engineer designing software like this, because the ChatGPT crawler has been crawling the web for many years, just like the Google crawler," he said. "If crawlers don't limit their amount of requests to the same website, they will get blocked immediately." ®
Get our [13]Tech Resources
[1] https://github.com/bf/security-advisories/blob/main/2025-01-ChatGPT-Crawler-Reflective-DDOS-Vulnerability.md
[2] https://platform.openai.com/docs/bots/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z42EG4V9VxBt4bCF0GrKEAAAAJE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z42EG4V9VxBt4bCF0GrKEAAAAJE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z42EG4V9VxBt4bCF0GrKEAAAAJE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z42EG4V9VxBt4bCF0GrKEAAAAJE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z42EG4V9VxBt4bCF0GrKEAAAAJE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/01/17/microsoft_ai_redteam_infosec_warning/
[9] https://www.theregister.com/2025/01/17/nvidia_cisco_ai_guardrails_security/
[10] https://www.theregister.com/2025/01/16/google_ai_code_migration/
[11] https://www.theregister.com/2025/01/16/ai_datacenters_putting_zero_emissions/
[12] https://github.com/bf/security-advisories/blob/main/2025-01-ChatGPT-API-Prompt-Injection-Vulnerability.md
[13] https://whitepapers.theregister.com/
The Chat bot did it
So, ChatGPT's implementation contains some crap code.
Something that will work without problem for the simple cases but causes severe problems when fed awkward input. And we are told (as we would hope) that a programmer experienced with web-crawlers would have spotted the possibility and applied "the obvious fix".
Hmm, put together cheaply by the human intern - or coded by the LLM itself. And nobody remembered to keep in asking the 'bot to try again and improve its result [1].
Which of those options is the least worst?
Still, good to know that ChatGPT can screw up in every way, not just because, well, that is what LLMs do.
[1] as we learnt from El Reg recently you have to do
I cannot imagine a highly-paid ... engineer designing software like this...
Perhaps that's simply a failure of imagination?
The thing about this AI lark is that it has to move at a fast pace. There has to be a new model around the corner, a new application, a new solution to a hitherto unknown problem or the punters will have time to uncover the limitations of the current iteration.
And I seem vaguely to recall that those highly-paid Silicon Valley engineers responsible for Twitter had to throw hardware at its initial failure to scale adequately when demand started to take off.
Doing just enough to capture market share and worrying about the consequences later is a long-standing tradition in the Bay Area.
Re: long-standing tradition in the Bay Area.
Hold on a moment.
Didn't the likes of Elongated MuskRat and ZuckBorg tell us that everyone had left Ca for the Tax haven of Texas?
I hope both of them freeze tomorrow but their deal leader is so soft that he has to be inside. Watch the images of JFK walking to his inauguration not wearing an overcoat.
Never mind Trump 2.0 will still say that 2025 had the biggest crowd ever.
DDOS? Yep.
I saw a concentrated DDOS attack recently that came from an LLM on what appeared to be an AWS instance in India.
The thing tried to break through my firewall by doing two things
1) changing the originating IP address by 1
AND
2) Trying ports from 445 to 63999 in rapid succession.
The IP addr went from .1.0 to .3.255 with a full port scan from each address. Bastards. The IP address owner didn't want to know about my abuse complaint to their whole IP range has been blocked.
That makes around 34% of the whole Internet IPV4 addresses blocked.
Re: DDOS? Yep.
It tried SMB ports first? Oh my, that shows the expected target...
Re: DDOS? Yep.
Got a [1]tarpit ? They seem to be necessity now as everything is constantly downloaded, copied, and ripped off.
[1] https://zadzmo.org/code/nepenthes/
Re: DDOS? Yep.
Ooh, shiny! A reverse DDOS for webcrawlers that will give LLMs garbage to eat. That one seems to create purely random nonsense, but I bet it could be designed to also emit trash that follows a theme.
Self inflicted wounds
This is what you get when you let AI (help) write your software. There are no thoughts spent on whether it is a good or smart thing to do. Lets face it, it will kill us all in the end without remorse, like the best and well developed automated psychopath you can find.
All hail to the AI. May the AI kill us all. All hail to the AI. May the wait be soon over. All hail to the AI. Luckily it'll die when the power eventually fails after we're gone.