Nagli criticized OpenAI’s lack of a bug bounty program, as it might have spotted and fixed the problem ahead of time. Full credit card numbers were not exposed at any time.” “In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time,” OpenAI wrote in its post. ![]() “We took ChatGPT offline earlier this week due to a bug in an open-source library which allowed some users to see titles from another active user’s chat history. ![]() The problem originated with the open-source caching software Redis, made worse by a software update by OpenAI. ![]() The company explained in layman’s terms what happened, then went into some of the technicalities. On Friday, OpenAI shared some details about the vulnerability, explaining the impact was limited to 1.2% or fewer of ChatGPT Plus subscribers over a nine-hour period and no non-paying users at all. The “web cache deception” described by Nagli opened up a method for hackers to quietly gain access to someone else’s ChatGPT account, including their history and the billing information of premium users. It was possible to takeover someone’s account, view their chat history, and access their billing information without them ever realizing it.īreakdown below □ /W4kXMNy6qI ![]() The team at just fixed a critical account takeover vulnerability I reported few hours ago affecting #ChatGPT. OpenAI later shared at least some of what happened and how it would fix it in a relatively transparent manner. ChatGPT went down for a while on March 20 as OpenAI rushed to fix a security flaw uncovered by Gil Nagli, CEO of cybersecurity software firm Shockwave.cloud.
0 Comments
Leave a Reply. |