Security researchers have exposed a vulnerability that could allow threat actors to store malicious instructions in a user's memory settings in the MacOS ChatGPT application.
A report by Johann Rehberger in Embrace the red It was observed how an attacker could trigger a quick injection to take control of ChatGPT and then insert a memory into its long-term storage and persistence mechanism. This leads to the exfiltration of the conversation on both sides directly to the attacker's server.
From that point on, the message is stored as “persistent in memory,” so any future conversations with the chatbot will have the same vulnerability. Because ChatGPT remembers information about its users, such as names, ages, locations, likes and dislikes, and previous searches, this vulnerability poses a serious risk to users.
Stay safe
In response, OpenAI introduced an API that makes the exploit no longer possible through the ChatGPT web interface, and also released a fix to prevent memories from being used as an exfiltration vector. However, researchers say untrusted third-party content can still inject messages that could exploit the memory tool.
The good news is that while the memory tool is automatically enabled by default in ChatGPT, it can be disabled by the user. The feature is great for those who want a more personalized experience when using the chatbot, as it can listen to your wants and needs and make suggestions based on the information, but there are clearly dangers.
To mitigate the risks involved, users should be vigilant when using the chatbot, and in particular pay attention to “new memory added” messages. By reviewing stored memories regularly, users can examine whether there are potentially planted memories.
This is not the first security flaw researchers have discovered in ChatGPT, and there are concerns that the plugins could allow threat actors to take control of other users' accounts and potentially access sensitive data.