Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Ayoub FATHI 阿尤布 Profile picture
Ayoub FATHI 阿尤布
@_ayoubfathi_
Group CISO @ https://t.co/mlBb0pUKBI | Engineer & Hacker by heart | Entrepreneur | I enjoy building and breaking stuff 🇲🇦/🇦🇪

Mar 25, 2023, 21 tweets

How could I have Hacked into any #ChatGPT account, including saved conversations, account status, chat history and more!

A tale of 4 ChatGPT vulnerabilities 👇

We can discuss it now that the #OpenAI team has confirmed it's completely fixed.

Let me explain 🤌:

After OpenAI had fixed a critical vulnerability reported by @naglinagli, a line caught my attention: "..instruct the caching server to not catch the endpoint through a regex (this is the fix @OpenAI chose)"

I knew something was wrong with the fix & decided to give it a look..👇

Having fixed similar issues, I knew this was the wrong fix—so I dug deeper into the Auth API..without success.

I thought the cache deception was fixed. But a bypass attempt that failed on the Auth API worked on another API-giving access to all conversations' titles of a user 😄

here I thought all I could find was a bypass to read someone's conversation titles – which is still bad but not as bad as taking over accounts, correct?

To explain the previous image, we are getting a "HIT" cache status of an API request (not a static file).

This means an "API" request is cached since Cloudflare thinks this is a static file request that needs to be cached.

Hence you can forge an exploit based on a URL like:

GET /backend-api/conversations%0A%0D-testtest.css?offset=0&limit=20

Send it to a victim, and upon accessing it – his own "API" response will be cached, and if you recheck the same URL (i.e. fetching the cached response of the victim), you will be able to see the victim's HTTP… twitter.com/i/web/status/1…

This is called a cache deception attack (more details omergil.blogspot.com/2017/02/web-ca…).

With this finding in hand, I decided to report it to the OpenAI team and got the following response back:

Then I went back and started looking again.. It bothered me a bit that I couldn't bypass that Auth API and all I reported was reading a user's conversation titles.

Then I'll just call it a night, probably?

Now getting to the juicy part—there is more to it.

I found a new vector to bypass the fix of the original account takeover attack 😱

I thought the %0A%0D payload would also work on the Auth API but that wasn't the case:

As a result, I thought CRLF chars were being escaped against the Auth session API, but I suspected they would be able to catch other chars.

I knew that regex is terrible at catching encoded whitespace characters, especially when it gets forwarded between different hops.

So I appended the URL-encoded representation of tabulation (\t) – %09, and that Payload (%0A%0D%09), WORKED 🫠

And here, I was able to bypass OpenAI fix of the original account takeover issue with a new payload, which brings this issue back to life – taking over any user account

And with this, I was able to bypass OpenAI fix of the original account takeover issue with a new payload, which brings this issue back to life:

Taking over any user account, but that was only the 1st finding among others I will demonstrate next:

That didn't stop here. I figured ALL of the chat[.].openai[.]com APIs are vulnerable to the same bypass payload 😬

2. Reading someone's full conversation:

3. Reading a user conversations titles

4. Their account status:

Working with OpenAI on a fix:

I had several discussions with the OpenAI team late at night yesterday to help them fix the four issues. Having come across several web cache deception issues and fixed them as well, I sent clear instructions to the OpenAI team on how to fix it… twitter.com/i/web/status/1…

Fixing this using a regex is not the best. For those who are interested in the new fix that OpenAI implemented:

You would need to compare Content-Type with the URL file extension, and there is a module that does exactly this on Cloudflare called developers.cloudflare.com/cache/about/ca…twitter.com/i/web/status/1…

The OpenAI team was very responsive; here is the timeline:

Initial Report: 2:25 AM
First response: 2:25 AM
Triage: 2:32 AM
Added more details: 2:39 AM
OpenAI follow up on fix suggestion: 3:26 AM
Added more details: 4:05 AM
OpenAI confirms the fix is working: 5:16 AM

Bug Bounty:

It would have been terrific for a company at the scale of OpenAI to have a proper/paid bug bounty program in place, but unfortunately, they only have a responsible disclosure.

You can email them at disclosure@openai.com if you want to report any security findings.

Read the original thread by @naglinagli, based on which I started looking at this issue, and after some research I was able to find new vectors of attack/bypasses:

Alright, that's a wrap everyone – thanks for sticking around.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling