Thursday, April 18, 2024

ChatGPT Exposes Email Address of Other Users – Open-Source Bug

There were a number of users whose email addresses were exposed accidentally by ChatGPT’s website recently. While OpenAI asserted that the cause was a bug in the Redis client open-source library.

In ChatGPT, users can browse all their query history from the sidebar of the ChatGPT window on their web browser. From this sidebar, you can browse all the past queries you have made or even use them to regenerate the responses.

However, many users reported an unusual issue on Monday morning. The reports from the users claim that they could see information about chat queries from other users listed in their query history.

There have also been several reports from ChatGPT Plus subscribers reporting that they came across other people’s email addresses on their subscription pages.

When OpenAI became aware of the incident, they acted quickly with the intent of shutting down ChatGPT to analyze the situation.

Open-Source Bug

The ChatGPT service was exposed as a result of an error in the Redis client open-source library that caused the chat queries and email addresses of other users to be exposed to other users of the platform.

An estimated 1.2% of ChatGPT Plus subscribers had their personal details exposed, which included their chat queries and email addresses. As a result, ChatGPT Plus subscriptions have been suspended, and OpenAI has removed the sidebar for chat histories.

The OpenAI team immediately contacted the Redis maintainers after identifying the issue and provided them with a patch to fix it.

Data Exposed

Several types of information have been exposed, including:

  • Subscriber name
  • Email address
  • Payment address
  • Last four digits of the credit card number
  • Credit card expiration date

OpenAI estimates that many individuals may have had their data exposed in this data breach. It is important to note that to access this information, ChatGPT Plus subscribers had to do one of the following:-

  • Check your email for a confirmation email sent between 1 am and 10 am Pacific time on Monday, March 20, which confirms your subscription.
  • On Monday, March 20, between 1 am and 10 am Pacific time, click “My account” and then “Manage my subscription.”

ChatGPT asserted that they are in the process of contacting all users whose payment information has been compromised due to this security breach.

Actions Taken

As part of OpenAI’s efforts to improve its systems, the following actions have been taken:-

  • To fix the underlying bug, OpenAI has extensively tested the fix.
  • The data returned by the Redis cache will be checked twice to ensure that the data returned matches the information retrieved by the requester.
  • Thoroughly programmatically analyzed the logs to ensure that only the appropriate users could access all messages.
  • To notify the affected users, the company has done several data sources correlations to identify them precisely.
  • A more comprehensive logging system has been implemented to identify when this occurs and confirm that it has been resolved.
  • To reduce the possibility of connection errors under extreme load, the company has improved its robustness and scaled its Redis cluster as well.

Searching to secure your APIs? – Try Free API Penetration Testing

Related Coverage:


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles