Summary: A vulnerability in ChatGPT’s web crawler can be exploited to launch DDoS attacks on arbitrary websites by sending a single HTTP request to the ChatGPT API. Cybersecurity researcher Benjamin Flesch highlighted that this flaw allows the crawler to generate an overwhelming number of requests to a target site, potentially flooding it with traffic. Despite reports to OpenAI and Microsoft, this issue remains unresolved as of January 10, 2025.
Threat Actor: Benjamin Flesch | Benjamin Flesch
Victim: Various websites | various websites
Keypoints :
- ChatGPT’s web crawler can inadvertently execute DDoS attacks under specific query conditions.
- The vulnerability arises from the API’s failure to check for duplicate links and enforce limits on the number of hyperlinks.
- Despite multiple reports, OpenAI and Microsoft have not acknowledged or addressed this significant oversight.
Source: https://securityonline.info/chatgpt-crawler-vulnerability-ddos-attacks-via-http-requests/