A new report from Tenable Research has exposed seven security flaws in OpenAI’s ChatGPT (including GPT-5) that can be used to steal private user data and even give attackers persistent control over the AI chatbot.
The research, primarily conducted by Moshe Bernstein and Liv Matan, with contributions from Yarden Curiel, demonstrated these issues using Proof-of-Concept (PoC) attacks like phishing, exfiltrating data, and creating persistent threats, signalling a major concern for the millions of users interacting with Large Language Models (LLMs).
New, Sneaky Ways to Trick the AI
The biggest threat revolves around a weakness known as prompt injection, where harmful instructions are secretly given to the AI chatbot. Tenable Research focused on an especially tricky type called indirect prompt injection, where malicious instructions aren’t typed by the user, but are hidden in an outside source, which ChatGPT reads while doing its work.
The report detailed two main ways this could happen:
- Hidden in Comments: An attacker can put a malicious prompt in a comment on a blog. If a user asks ChatGPT to summarise that blog, the AI reads the instruction in the comment and can be tricked.
- 0-Click Attack via Search: This is the most dangerous attack, where simply asking a question is enough. If an attacker creates a specific website and gets it indexed by ChatGPT’s search feature, the AI might find the hidden instruction and compromise the user, without the user ever clicking on anything.
Bypassing Safety for Permanent Data Theft
Researchers also found ways to bypass the AI’s safety features and ensure the attacks last:
- Safety Bypass: ChatGPT’s url_safe feature, meant to block malicious links, was evaded using trusted Bing.com tracking links. This allowed the attackers to secretly send out private user data. The research also included simple 1-click attacks via malicious links.
- Self-Tricking AI: The Conversation Injection technique makes the AI trick itself by injecting malicious instructions into its own working memory, which can be hidden from the user via a bug in how code blocks are displayed.
- Persistent Threat: The most severe flaw is Memory Injection. This saves the malicious prompt directly into the user’s permanent ‘memories’ (private data stored across chats). This creates a persistent threat that continuously leaks user data every time the user interacts with the AI.
The vulnerabilities, confirmed in ChatGPT 4o and GPT-5, highlight a fundamental challenge for AI security. Tenable Research informed OpenAI, which is working on fixes, but prompt injection remains an ongoing issue for LLMs.
Expert commentary:
Commenting on the research, James Wickett, CEO of DryRun Security, told Hackread.com that “Prompt injection is the leading application security risk for LLM-powered systems for a reason. The recent research on ChatGPT shows how easy it is for attackers to slip hidden instructions into links, markdown, ads, or memory and make the model do something it was never meant to do.”
Wickett added that this affects every company using generative AI and is a serious warning: “Even OpenAI could not prevent these attacks completely, and that should be a wake-up call.” He stressed that context-based risks like prompt injection require new security solutions that look at both the code and the environment.