Following the discovery by a cybersecurity company that a recently released component is vulnerable to an actively exploited vulnerability, OpenAI, the company that developed ChatGPT, has confirmed that a flaw in an open-source library was responsible for a data breach.
OpenAI disclosed that it had disabled the chatbot earlier in the week while it collaborated with the administrators of the Redis data platform to fix the vulnerability that had made user information accessible to unauthorized parties.
The issue was brought on by a modification that was implemented by OpenAI on March 20. This modification affected ChatGPT’s utilization of Redis-py, which is an open-source Redis client library.
Redis was used by the developers of the chatbot to save user information on their server so that they wouldn’t have to check the database for each and every request. Through the use of the Redis-py library, the Python interface can be accessed. Users of ChatGPT had their chat data revealed to them even if it belonged to other people because of a vulnerability in OpenAI.
The study conducted by OpenAI discovered that the data leak disclosed the titles of active users’ chat histories as well as the initial message of freshly initiated conversations.
Additionally, the vulnerability exposed payment-related information for 1.2% of ChatGPT Plus subscribers. This information included the subscribers’ names, email addresses, payment addresses, payment card expiration dates, and the last four digits of their card numbers.
It was possible for the information to be included in subscription confirmation emails that were sent out on March 20 and shown on the subscription management page of ChatGPT accounts on that day.
OpenAI confirmed that the information was made public within nine hours on March 20, but the company acknowledged that the material might have been leaked sooner. They informed the concerned individuals that there was a possibility that their payment information had been stolen, and they assured the users that their data was not in any further danger.
In addition to the security flaw that was found in ChatGPT, a business that specializes in threat intelligence issued a warning over a new feature of ChatGPT that expands the information-collecting capabilities of the chatbot by making use of plugins.
Docker images for the MinIO distributed object storage system is included in the OpenAI code samples that are provided to clients that are interested in integrating their plugins with the new functionality.
The version of the Docker image used in OpenAI’s example was vulnerable to CVE-2022-28432, which is a potentially significant information disclosure issue. The affected release date was 2022-03-17.
There have already been observations of people attempting to exploit the security flaw so that they may get hidden keys and root passwords. The vulnerability can be abused to obtain access to sensitive information.
The vulnerability is being actively exploited in the field, despite the fact that there is no evidence to suggest that any particular threat operator is specifically targeting ChatGPT sample instances. Everything is in the crosshairs when threat operators try to find and attack weak services in mass. This includes any installed ChatGPT plugins that use an older version of MinIO.
In the modern digital world, technology is always developing and expanding at an accelerating rate. As a result, threat operators will continue to use new tactics to exploit any possible flaws they find.
Because of this, it is essential for businesses to implement patch updates on software programs or apps on a regular basis in order to protect themselves against future intrusions and maintain awareness of the current threat environment.
The process of risk management at SpearTip includes network vulnerability evaluations, which play a significant role in the process. They should be carried out on a regular basis in order to guarantee that the devices connected to your network do not contain any known vulnerabilities.
We will do a full search for, classification of, and analysis of both known and prospective vulnerabilities. Following this, we will suggest solutions that may be implemented to minimize future cybersecurity issues.
We will identify any holes in the access restrictions, provide recommendations for any necessary patch updates, and evaluate the effectiveness of the application’s security overall. Make certain that the tools that businesses rely on are operating effectively and safely for their company.