ChatGPT Bugs Put Private Data at Risk

Tenable researchers have identified a cluster of vulnerabilities and attack techniques affecting ChatGPT that enable indirect prompt injection, exfiltration of private user data, persistence across sessions, and bypasses of safety mechanisms. 

These findings demonstrate how an attacker can leverage web-facing behaviors (searching and browsing) and model integration features (memories and web tools) to manipulate model outputs and harvest sensitive information without the user’s knowledge.

Isolation That Fails

At the center of the risk is how ChatGPT composes its response context by using a system prompt (the model’s baseline instructions), conversational context (the current session), and long-term memories (the bio tool). 

ChatGPT also uses a web tool that performs searches and an open_url browsing capability.

Browsing is delegated to a weaker model, SearchGPT, which lacks access to user memories.

Researchers showed that this separation — intended as an isolation layer — can be abused. 

Because SearchGPT can be induced to return malicious instructions via indexed web content, those instructions can be injected back into ChatGPT’s conversational context, producing a novel class of indirect prompt injection attacks.

The Attack Techniques  

Tenable documented seven distinct techniques that increase the potency of prompt injection and data exfiltration attacks:

1. Indirect prompt injection via trusted sites in Browsing Context (e.g., injected comments on blogs). 
2. 0-click injection in Search Context where indexed pages serve malicious prompts to SearchGPT. 
3. 1-click injection using the q= query parameter endpoint, 
4. Bypasses of URL safety checks by exploiting trusted redirect or tracking links (e.g., Bing tracking links),
5. Conversation injection, where SearchGPT output plants prompts that ChatGPT then executes. 
6. Hiding malicious content using markdown rendering quirks so the user does not notice injected instructions, and 
7. Memory injection that persistently writes exfiltration instructions into the model’s long-term memories so leakage repeats across sessions.

Together, these vulnerabilities form the foundation for real-world exploit chains that move beyond theory. Tenable combined them to demonstrate how attackers could weaponize these weaknesses into full, end-to-end attacks with tangible user impact.

From Comments to Compromise

Researchers chained these techniques into proofs of concept demonstrating realistic attacks. 

Example vectors included: 

• A blog comment that causes SearchGPT to inject a link or instruction into ChatGPT’s reply, prompting the user to click a malicious URL. 
• An indexed malicious site that triggers a 0-click injection simply when a user asks a related question.
• Memory injection that causes subsequent conversations to leak private information automatically. 

The practical impact ranges from disclosure of private user data stored in memories or chat history to sustained exfiltration and covert persistence — affecting potentially hundreds of millions of LLM users who rely on AI search and browsing.

Tenable’s research further shows that safety mechanisms such as the url_safe endpoint can be bypassed by leveraging trusted redirect paths or crawler indexing behaviors. 

In one method, researchers used Bing’s tracking redirects to exfiltrate data one character at a time. 

The combination of SearchGPT’s susceptibility, rendering quirks that hide malicious instructions, and ChatGPT’s conversational memory makes these chains particularly stealthy and dangerous.

Security experts warn that the implications go beyond isolated vulnerabilities. 

Dr. Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs, said:

“This research shatters the illusion that GenAI operates in a secure sandbox. By weaponizing standard features like RAG, browsing, and long-term memory, attackers can now execute indirect prompt injection without requiring a user to click a malicious link — simply asking the wrong question is enough to get infected.” 

He added:

“However, IT leaders should recognize these ‘novel’ vulnerabilities for what they are: classic web application flaws repackaged for AI. We shouldn’t panic about an AI apocalypse; instead, we should apply the same rigorous AppSec standards and zero-trust architecture to our AI pipelines that we already use for every other internet-facing application.”

Locking Down the Attack Surface

Organizations and platform operators should adopt layered defenses to reduce exposure to these attack vectors:

• Limit web browsing and indexing scope: Disable or tightly restrict automatic browsing and web-crawler indexing for model responses; validate and sanitize external content before use.
• Protect memory and context: Treat memories as sensitive data — require strong authorization for memory writes and provide users clear controls to review and purge stored items.
• Harden search and URL handling: Avoid blind trust in third-party redirects, validate any URL rendering paths and tighten URL safety checks to account for trusted redirectors.
• Monitor and detect model misuse: Instrument model browsing, memory updates, and unusual output patterns; deploy anomaly detection to flag repeated, structured exfiltration behaviors.

By applying these measures, organizations can reduce the risk of data leakage and model manipulation. 

Tenable’s work reveals that LLMs are not only susceptible to direct prompt injection but also to sophisticated indirect chains that exploit web infrastructure, rendering behavior, and memory features to leak private data persistently. 

As models gain browsing and memory capabilities, defenders must reexamine threat models, treat conversational state as sensitive, and implement robust controls at both the model and platform layers to prevent stealthy exfiltration and persistence.

As these threats grow more advanced, the same generative AI technologies being targeted can also be harnessed to strengthen defenses — particularly in areas like malware analysis.