Researchers found multiple flaws in ChatGPT plugins
March 14, 2024
Researchers analyzed ChatGPT plugins and discovered several types of vulnerabilities that could lead to data exposure and account takeover.
Researchers from Salt Security discovered three types of vulnerabilities in ChatGPT plugins that can be could have led to data exposure and account takeovers.
ChatGPT plugins are additional tools or extensions that can be integrated with ChatGPT to extend its functionalities or enhance specific aspects of the user experience. These plugins may include new natural language processing features, search capabilities, integrations with other services or platforms, text analysis tools, and more. Essentially, plugins allow users to customize and tailor the ChatGPT experience to their specific needs.
Plugins can allow users to interact with third-party services such as Github, Google Drive, and Saleforce.
By using plugins, users authorize ChatGPT to transmit sensitive data to third-party services. In some cases, this involves granting access to their private accounts on platforms they need to interact with
The first vulnerability discovered by the researchers resides in ChatGPT and is related to the OAuth authentication, it can be exploited to install malicious plugins on ChatGPT users.
“Attacker can write his own plugin, which tells ChatGPT to forward almost any Chat data to this plugin, and then by exploiting a vulnerability in ChatGPT, he can install this malicious plugin on a victim account.” reads the report published by Salt Security.
“Since the attacker is the owner of this plugin, he can see the private chat data of the victim, which may include credentials, passwords or other sensitive data.”
The second vulnerability is a zero-click account takeover that impacts multiple plugins. An attacker can exploit this vulnerability to take over an organization’s account on third-party websites like GitHub
The flaw resided in the AskTheCode plugin developed by PluginLab.AI, which allows users to access their GitHub repositories.
“In our example, we will use “AskTheCode” – a plugin developed with PluginLab.AI that lets you ask your GitHub repositories questions, which means that users who use this plugin, gave it an access to their GitHub repositories.” continues the report. “Account takeover on AskTheCode means attackers can access GitHub repositories of any user who uses this plugin.”
The third vulnerability is an OAuth redirection manipulation that impacts several plugins. The researchers demonstrated the attack against the plugin Charts by Kesem AI. Like the first type of vulnerability, this issue can be exploited by tricking a user into clicking on a specially crafted link.
Salt Labs reported the vulnerabilities to PluginLab.AI and KesemAI which addressed them.
“As we mentioned earlier, GPTs are the next version of Plugins, and you can read more about this feature here: https://openai.com/blog/introducing-gpts. Essentially these are the same concept as plugins but with enhanced security protocols.” concludes the report. “In conclusion, GPTs represent a significant enhancement in security over Plugins, effectively addressing the majority of concerns highlighted in this discussion. Nonetheless, users need to remain vigilant regarding potential risks.”
Salt Security announced they also discovered vulnerabilities in GPTs that will be detailed in the next future.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, ChatGPT)