Navigate

Vulnerabilities discovered in ChatGPT plugins that allowed hacking of accounts on third-party platforms

Salt Security has reported finding critical vulnerabilities in select ChatGPT plugins, which could allow hackers to gain unauthorized access to users’ accounts on third-party platforms. These plugins enable ChatGPT to perform operations such as code editing on GitHub or retrieving data from Google Drive.

Vulnerabilities Identified in ChatGPT Plugins

ChatGPT plugins are alternative versions of the AI-based chatbot, which can be published by any developer. Salt Security experts discovered three vulnerabilities in these plugins.

The first issue pertains to the plugin installation process. ChatGPT sends a confirmation code to the user for the plugin installation. However, hackers can potentially replace this code with one used to install malicious plugins.

Issue with PluginLab

A second vulnerability was found on the PluginLab platform, used for developing ChatGPT plugins. There was insufficient security in user authentication, enabling hackers to capture access to their accounts. One of the plugins affected by this issue was AskTheCode, which facilitated ChatGPT and GitHub integration.

Manipulation with OAuth authorizations

The team unveiled a third vulnerability across multiple plugins, resting on manipulations with redirections during OAuth authorizations. This issue could allow hackers to gain access to accounts on third-party platforms. The plugins lacked a URL verification mechanism during redirect, enabling hackers to send harmful links to users for account theft.

Salt Security assured that it followed standard procedure by informing OpenAI and other parties about these discoveries. The identified problems were promptly corrected, and no evidence of exploits was found.

This post was last modified on 03/18/2024

ChatGPT
Julia Jackson: Hey there! I'm Julia Jackson, your friendly neighborhood tech geek, always navigating the exciting realms of technology with unbridled enthusiasm. Born and raised in the digital age, I've been on a relentless quest to understand and unravel the intricacies of the ever-evolving tech landscape. Hailing from a generation that witnessed the meteoric rise of the internet, I've been a digital native since the dial-up days. From the nostalgic hum of connecting to the World Wide Web to the lightning-fast speeds of today's fiber optics, I've witnessed and adapted to the digital evolution with a keen eye and a passion for all things tech. My love affair with technology goes beyond just using gadgets; I'm driven by an insatiable curiosity to understand the nuts and bolts that power our digital world. Whether it's coding languages, emerging technologies, or the latest in artificial intelligence, I'm always eager to delve deeper and unravel the mysteries that make our digital existence possible. Beyond my personal pursuits, I'm deeply committed to fostering a sense of community in the tech world. Whether through sharing knowledge on online forums, attending tech meetups, or mentoring aspiring techies, I believe in the power of collaboration and knowledge sharing to propel us all forward.
Related Post
  1. Hackers Breach Fujitsu – Customer Data Potentially Stolen
  2. The GhostRace vulnerability allows data theft from any modern x86, Arm, and RISC-V processor.
  3. Vulnerability Found in Intel’s Most Advanced Processors – Patches May Reduce Performance by up to 10%
  4. AI Chatbots found vulnerable to ASCII graphics