Study Uncovers Vulnerabilities in ChatGPT Plugins, Risking Data Exposure and Account Takeover

by | Mar 14, 2024 | News

Post Views: 381

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

A recent analysis conducted by researchers has unearthed a series of vulnerabilities within ChatGPT plugins, shedding light on potential risks associated with data exposure and account takeovers. The investigation, spearheaded by Salt Security, examined various ChatGPT plugins, uncovering critical flaws that could compromise user security.

ChatGPT plugins serve as supplementary tools or extensions designed to augment the functionality and user experience of ChatGPT. These additions encompass a wide array of features, ranging from enhanced natural language processing capabilities to seamless integrations with various platforms and services. Essentially, plugins offer users the flexibility to tailor their ChatGPT experience to suit specific requirements.

Vulnerabilities

One of the vulnerabilities identified by the researchers pertains to OAuth authentication within ChatGPT, presenting a loophole that could facilitate the installation of malicious plugins on unsuspecting users’ accounts. Exploiting this vulnerability enables attackers to deploy custom-built plugins, thereby gaining unauthorized access to sensitive data exchanged in private chats, including credentials and passwords.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Another critical vulnerability, described as a zero-click account takeover, affects multiple plugins and poses a significant threat to organizational security. Leveraging this flaw, attackers can seize control of accounts associated with third-party platforms like GitHub. Notably, the vulnerability was observed in the AskTheCode plugin developed by PluginLab.AI, allowing attackers to infiltrate GitHub repositories of users utilizing this particular plugin.

Additionally, researchers uncovered an OAuth redirection manipulation vulnerability that impacts various plugins, exemplified by an attack on the Charts plugin developed by Kesem AI. This exploit exploits user interaction to redirect OAuth authentication, potentially leading to unauthorized access to sensitive data.

Salt Labs notified PluginLab.AI and Kesem AI of the vulnerabilities, prompting swift remedial action to address the identified security gaps. Furthermore, the report emphasizes the transition from traditional plugins to GPTs (Generative Pre-trained Transformers), which boast enhanced security protocols to mitigate risks associated with data exposure and account takeovers.

However, despite advancements in security measures, users are urged to exercise vigilance in navigating the evolving threat landscape. Salt Security has hinted at forthcoming revelations regarding vulnerabilities in GPTs, underscoring the ongoing imperative for proactive security measures and heightened awareness among users.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: securityaffairs.com

Source Link