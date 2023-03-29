On Monday of last week (20), the company OpenAI, responsible for the generative artificial intelligence of ChatGPT, admitted to having shut down its servers due to a security vulnerability. After a week of investigation, the company confirmed the leakage of sensitive user data, including conversation history.

OpenAI has confirmed a data breach caused by a bug in an open source library. Additionally, cybersecurity firm GreyNoise noted that a recently introduced component is affected by an actively exploited vulnerability.

What does that mean, in practice? Well, according to the OpenAI investigation, the chat history titles of active users and the first message of a newly created conversation were exposed in the data breach. The bug also exposed payment-related information belonging to 1.2% of ChatGPT Plus subscribers, including first and last name, email address, payment address, payment card expiration date, and the last four digits of the payment card number. customer card.

OpenAI also said that the information was exposed during a nine-hour window last Monday, and added that some of the content may also have been leaked before March 20. “We reached out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to user data,” the company said in its blog post.

To avoid new related problems, the company says it has taken the following actions:

We have extensively tested our fix for the bug;

Added redundant checks to ensure that the data returned by our Redis cache (where the open source library crashed) matches the requesting user;

We programmatically examine our logs to ensure that all messages are only available to the correct user;

We correlate multiple data sources to accurately identify affected users so that we can notify them;

We’ve improved the log to identify when this is happening and confirm that it has stopped altogether;

We’ve improved the robustness and scale of our enhanced Redis cluster to reduce the likelihood of connection errors under extreme loads.

ChatGPT issue discovered by security firm

On Friday (24), the threat intelligence company GreyNoise issued an alert about a new feature of ChatGPT that increases the information gathering capabilities of the chatbot through the use of plugins.

GreyNoise noted that code samples provided by OpenAI to customers interested in using its plugins with the new feature include an image affected by a vulnerability. The version of the docker image used in the OpenAI example, version 2022-03-17, is affected by CVE-2023-28432, a security flaw that can be exploited to obtain sensitive keys and root passwords.

To make matters worse, GreyNoise has already detected several attempts to exploit the vulnerability out there. “While we have no information suggesting that any specific actor is targeting example instances of ChatGPT, we do observe this vulnerability being actively exploited in the wild. When attackers attempt mass identification and mass exploitation of vulnerable services, ‘everything’ is in scope, including any deployed ChatGPT plugins that utilize this outdated version of MiniIO,” the security firm warned.