{"id":2708,"date":"2024-03-13T07:00:00","date_gmt":"2024-03-13T12:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data"},"modified":"2024-03-13T07:00:00","modified_gmt":"2024-03-13T12:00:00","slug":"critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/13\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data\/","title":{"rendered":"Critical ChatGPT Plugin Vulnerabilities Expose Sensitive Data"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Three security vulnerabilities unearthed in the extension functions ChatGPT employs open the door to unauthorized, zero-click access to users’ accounts and services, including sensitive repositories on platforms like GitHub.<\/span><\/p>\n

ChatGPT plugins and custom versions of ChatGPT published by developers extend the capabilities of the AI model, enabling interactions with external services by granting OpenAI’s popular generative AI chatbot access and permissions to execute tasks on various third-party websites, including GitHub and Google Drive.<\/span><\/p>\n

Salt Labs researchers uncovered the <\/span>three critical vulnerabilities affecting ChatGPT<\/a><\/span>, the first of which occurs during the installation of new plugins, when ChatGPT redirects users to plugin websites for code approval. By exploiting this, attackers could trick users into approving malicious code, leading to automatic installation of unauthorized plugins and potential follow-on account compromise.<\/span><\/p>\n

Second, PluginLab, a framework for plugin development, lacks proper user authentication, enabling attackers to impersonate users and execute account takeovers, as seen with the “AskTheCode” plugin connecting ChatGPT with GitHub.<\/span><\/p>\n

Finally, Salt researchers found that certain plugins were susceptible to <\/span>OAuth redirection manipulation<\/a><\/span>, allowing attackers to insert malicious URLs and steal user credentials, facilitating further account takeovers.<\/span><\/p>\n

The report noted the issues have since been fixed and there was no evidence that the vulnerabilities had been exploited, so users should update their apps as soon as possible.<\/span><\/p>\n

GenAI Security Issues Put Vast Ecosystem at Risk<\/h2>\n

Yaniv Balmas, vice president of research at Salt Security, says the issues the research team found may put hundreds of thousands of users and organizations at risk.<\/span><\/p>\n

“Security leaders at any organization must better understand the risk, so they should review what plugins and GPTs their company is using and what third-party accounts are exposed through those plugins and GPTs,” he says. “As a starting point, we would suggest making a security review of their code.”<\/span><\/p>\n

For plugins and GPT developers, Balmas recommends developers be better aware of the internals of the GenAI ecosystem, the security measures involved, how to use them, and how to abuse them. That specifically includes what data is being sent to GenAI, and what permissions are given to the GenAI platform or the connected third-party plugins \u2014 for example, permission for Google Drive or GitHub.<\/span><\/p>\n

Balmas points out that the Salt research team only checked a small percentage of this ecosystem, and says the findings indicate there is a bigger risk relevant to other GenAI platforms, and many existing and future GenAI plugins.<\/span><\/p>\n

Balmas also says that OpenAI should put more emphasis on security in their documentation for developers, which will help reduce the risks.<\/span><\/p>\n

GenAI Plugin Security Risks Likely to Increase<\/h2>\n

Sarah Jones, cyber threat intelligence research analyst at Critical Start, agrees that the Salt Lab findings suggest a <\/span>broader security risk<\/a><\/span> associated with GenAI plugins.<\/span><\/p>\n

“As GenAI becomes more integrated with workflows, vulnerabilities in plugins could provide attackers with access to sensitive data or functionalities within various platforms,” she says.<\/span><\/p>\n

This emphasizes the need for robust security standards and regular audits for both GenAI platforms and their plugin ecosystems, as hackers start to <\/span>target flaws in these platforms<\/a><\/span>.<\/span><\/p>\n

Darren Guccione, CEO and co-founder at Keeper Security, says these vulnerabilities serve as a “stark reminder” about the inherent security risks involved with third-party applications and should prompt organizations to shore up their defenses.<\/span><\/p>\n

“As organizations rush to leverage AI to gain a competitive edge and enhance operational efficiency, the pressure to quickly implement these solutions should not take precedence over security evaluations and employee training,” he says.<\/span><\/p>\n

The proliferation of AI-enabled applications has also introduced challenges in <\/span>software supply chain security<\/a><\/span>, requiring organizations to adapt their security controls and data governance policies.<\/span><\/p>\n

He points out employees are increasingly entering proprietary data into AI tools \u2014 including intellectual property, financial data, business strategies, and more \u2014 and unauthorized access by a malicious actor could be crippling for an organization.<\/span><\/p>\n

“An account takeover attack jeopardizing an employee’s GitHub account, or other sensitive accounts, could have equally damaging impacts,” he cautions.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Three security vulnerabilities unearthed in the extension functions ChatGPT employs<\/p>\n","protected":false},"author":12,"featured_media":2709,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2708","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=2560%2C1491&ssl=1",2560,1491,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=300%2C175&ssl=1",300,175,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=640%2C373&ssl=1",640,373,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=640%2C373&ssl=1",640,373,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=1536%2C895&ssl=1",1536,895,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=2048%2C1193&ssl=1",2048,1193,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=1024%2C596&ssl=1",1024,596,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/03\/critical-chatgpt-plugin-vulnerabilities-expose-sensitive-data-scaled.jpg?fit=2560%2C1491&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2708"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2708\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2709"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}