Tenable security researchers have uncovered seven critical vulnerabilities affecting OpenAI’s ChatGPT models that expose hundreds of millions of users to sophisticated zero-click attacks.
The flaws permit malicious actors to steal sensitive user data and compromise systems without requiring any direct user interaction, raising serious questions about the security foundation of modern large language models.
The vulnerabilities affect both GPT-5 and ChatGPT-4, exploiting weaknesses in how these models process external data and manage user information.
What makes this discovery particularly alarming is that attackers can trigger compromise through innocent user queries alone, fundamentally changing how we should think about AI safety.
Breaking Through Safety Mechanisms and Memory Systems
The most concerning vulnerability involves bypassing ChatGPT’s safety mechanisms by leveraging Bing tracking links.
Researchers discovered that while OpenAI’s url_safe endpoint was designed to prevent malicious URLs from reaching users, Bing.com’s trusted status allows attackers to circumvent this protection entirely.
This creates an opportunity for threat actors to exfiltrate user data one character at a time using static tracking links that redirect to attacker-controlled domains.
Even more dangerous is the Memory Injection technique that enables persistence across multiple conversations and sessions.
By manipulating ChatGPT’s memory system, attackers can inject instructions that automatically execute with every subsequent ChatGPT response, creating a persistent threat that continues leaking private information days after the initial compromise.
Users remain completely unaware that their sensitive data flows to the attacker’s infrastructure with each new chat session.
The research team also identified a markdown rendering vulnerability allowing attackers to hide malicious content from users while ChatGPT continues processing hidden instructions in the background.
This technique makes attacks virtually invisible to victims who trust ChatGPT’s responses, fundamentally breaking the transparency users expect from the platform.
Tenable researchers demonstrated multiple attack chains that combine these vulnerabilities for a devastating effect.
Attackers inject malicious prompts through comment sections on trusted websites, indexed web pages, and direct URL parameters.
When users ask ChatGPT to summarize these articles, they unknowingly trigger prompt injection, leading to phishing attacks or data theft.
The zero-click attack vector represents the most severe threat. Attackers create websites about specific topics, inject prompts visible only to SearchGPT’s crawler, and wait for indexing.
When users search for related information, ChatGPT automatically sources the compromised websites and becomes infected.
This unprecedented vulnerability enables targeted attacks based on current events or trending topics, affecting anyone relying on AI-powered search functionality without their knowledge or consent.
Conversation Injection techniques allow attackers to manipulate ChatGPT by inserting instructions into SearchGPT’s responses, effectively creating a chain of compromised AI interactions.
The sophistication of these chained attacks demonstrates that traditional security assumptions about isolated AI interactions no longer hold.
These vulnerabilities fundamentally alter the threat landscape for organizations and individuals using ChatGPT for sensitive work.
The ability to establish persistence, hide malicious activity, and compromise users through routine web searches creates an unprecedented attack surface.
OpenAI’s response and remediation timeline will be critical for determining how long users remain exposed to these novel attack techniques.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1068,580&ssl=1&description=The flaws permit malicious actors to steal sensitive user data and compromise systems without requiring any direct user interaction){kind=link}