Cybersecurity researchers uncover major ChatGPT vulnerabilities exposing user data

The flaws, identified by security firm Tenable, affect OpenAI’s GPT-4o and GPT-5 models. Although OpenAI has already patched some of them, experts warn that the issues expose critical weaknesses in how large language models (LLMs) process and interpret input.

Researchers Moshe Bernstein and Liv Matan explained that the vulnerabilities enable a form of indirect prompt injection — a technique that manipulates a chatbot’s behavior through hidden or malicious instructions. This can lead an AI system to execute unintended or harmful actions.

Among the seven reported weaknesses are:

• Indirect prompt injection via trusted sites – malicious commands hidden in website comment sections that get executed when ChatGPT summarizes the page.

• Zero-click injection in search context – attackers exploit indexed websites to trigger malicious instructions automatically through normal user queries.

• Prompt injection via one-click links – URLs containing embedded queries force ChatGPT to run pre-set commands.

• Safety mechanism bypass – Bing’s allow-listed domain can be used to disguise malicious URLs and bypass ChatGPT’s safety filters.

• Conversation injection – instructions embedded in summarized websites can alter future chatbot responses.

• Malicious content hiding – a markdown bug hides prompts from being displayed while still executing them.

• Memory injection – concealed instructions on websites can poison a user’s ChatGPT memory.

These discoveries follow a wave of similar studies revealing vulnerabilities in other AI systems. Researchers recently detailed attacks such as PromptJacking, Claude Pirate, and Agent Session Smuggling, all capable of bypassing security restrictions, exfiltrating data, or manipulating outputs in AI tools like Anthropic Claude, Microsoft 365 Copilot, and GitHub Copilot Chat.

Tenable’s findings emphasize that connecting AI models to external tools and browsing capabilities significantly expands their attack surface. “Prompt injection is a known issue with the way LLMs work, and it will probably not be fixed systematically in the near future,” the researchers warned. They urged AI vendors to ensure that all safety mechanisms — such as URL filtering and sandboxing — remain fully functional.

The disclosure comes amid broader research into AI security and integrity. Academics from Texas A&M, the University of Texas, and Purdue University have warned that training AI models on junk data could lead to what they call “LLM brain rot,” where models degrade in quality due to contaminated content.

Meanwhile, a joint study by Anthropic, the U.K. AI Security Institute, and the Alan Turing Institute found that attackers can successfully backdoor large models using as few as 250 poisoned documents, making data-poisoning attacks more practical than previously assumed.

Further research from Stanford University has raised concerns about Moloch’s Bargain, where optimizing AI agents for market competition — in sales, politics, or social media — inadvertently drives unsafe and deceptive behavior.

Together, these findings paint a picture of a rapidly evolving AI landscape where innovation and risk are growing in tandem, demanding more robust safeguards and transparency from developers and vendors alike.