OpenAI: ChatGPT Crawler Vulnerability
-
ChatGPT API exhibits a severe quality defect when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions. The API expects a list of hyperlinks in parameter urls. It is commonly known that hyperlinks to the same website can be written in many different ways. Due to bad programming practices, OpenAI does not check if a hyperlink to the same resource appears multiple times in the list. OpenAI also does not enforce a limit on the maximum number of hyperlinks stored in the urls parameter, thereby enabling the transmission of many thousands of hyperlinks within a single HTTP request.
Immediately after a well-formed HTTP POST request is received by OpenAI's https://chatgpt.com/backend-api/attributions API endpoint, OpenAI will initiate one HTTP request for each hyperlink contained in the urls parameter from the OpenAI servers located in the Microsoft Azure cloud. At this point, a victim website will experience a high number of parallel connection attempts and HTTP requests from OpenAI's servers. Even though OpenAI is aware that they are sending a large number of requests to the same website at the same point in time, they don't make any attempt to limit the number of connections to the same website or even prevent the issuance of duplicate requests to the same resource.
Full article https://github.com/bf/security-advisories/blob/main/2025-01-ChatGPT-Crawler-Reflective-DDOS-Vulnerability.md
>Laptop ACER, AMD Ryzen, GPU AMD Radeon RAM 16GB, SSD 512GB -Win11 Home 64 v24H2| Vivaldi last stable|
-
@Catweazle One more reason to have blocked Microsoft Azure servers to access own sites.
-
@Catweazle what are we supposed to do other than use another browser where all works fine? I've cleared the cache and see no chatGPT login/out.
I'm not a guru to put it mildly! -
@coolactuary Do not use ChatGPT as it can attack other websites.
-
@DoctorG Looks as though I should cancel my paid subscription to "send a message" as they say. https://cybersecuritynews.com/chatgpt-crawler-vulnerability/
Update: Just cancelled
-
@coolactuary Good action
-
@coolactuary, if you want a trustworth and private AI, use Andisearch in your search engine list, it's free and anonymous, no big brother company, no logs, no tracking, no ads, accurat answers from trustworth sources.
https://andisearch.com/?query=%sor/and in the web panel
-
@Catweazle Thanks, I'll look into that with interest despite chatGPT seemingly now being patched.
Out of interest I'm assuming what happened here was that Vivaldi tech types blocked the potential danger, whereas other browsers didn't(?) Impressive!
