German security researcher Benjamin Flesch explained in his GitHub article how a single HTTP request to the ChatGPT API can be used to DDoS attack sites using the ChatGPT crawler (namely ChatGPT-User).
German security researcher Benjamin Flesch explained in his GitHub article how a single HTTP request to the ChatGPT API can be used to DDoS attack sites using the ChatGPT crawler (namely ChatGPT-User).
According to Flash, this may not be enough for a powerful attack, but it still poses a threat and is a certain omission on the part of OpenAI. Thus, just one API request can be “dispersed” to 20–5000 or more requests to the site every second, over and over again, writes The Register.
“The ChatGPT API exhibits a serious quality defect when processing HTTP POST requests to https://chatgpt.com/backend-api/attributions,” explains Flash.
This API endpoint is used to retrieve data about web sources referenced by the chatbot in responses. When ChatGPT mentions certain websites, it calls attribution with a list of URLs of those sites so that its crawler can access and learn about them.
If you provide the API with a long list of URLs that are slightly different but all point to the same site, the crawler will start reaching out to all of them at once.
“The API expects a list of hyperlinks in the URLs parameter. It is well known that hyperlinks to the same website can be written in different ways. Due to poor programming, OpenAI does not check whether a hyperlink to the same resource appears multiple times in the list. OpenAI also does not set a limit on the maximum number of hyperlinks in the urls parameter, which allows many thousands of hyperlinks to be passed in a single HTTP request,” writes Flash.
So, using a tool like Curl, an attacker can send an HTTP POST request to the ChatGPT endpoint, and OpenAI servers in Microsoft Azure will respond by initiating an HTTP request for each link passed in the URL. When these requests are directed to the same website, they can potentially overload the target, causing DDoS symptoms. Moreover, the crawler, proxied by Cloudflare, will access the site from a new IP address each time.
“The victim will never know they have been attacked because all they see is the ChatGPT bot attacking their site from about 20 different IP addresses at the same time,” said Flash, adding that even if the victim blocks the IP range, the bot will still send requests.
“This way, a single failed/blocked request will not prevent the ChatGPT bot from sending another request to the victim site within the next millisecond. With this amplification, the attacker can send only a few requests to the ChatGPT API, but the victim will receive a very large number of requests,” explained Flash.
Flash says he reported the vulnerability via OpenAI's BugCrowd vulnerability reporting platform, emailed the OpenAI security team, Microsoft (including Azure), and HackerOne — but received no response.
