A Server-Side Request Forgery (SSRF) vulnerability in OpenAI\u2019s ChatGPT. The flaw, lurking in the Custom GPT \u201cActions\u201d feature, allowed attackers to trick the system into accessing internal cloud metadata, potentially exposing sensitive Azure credentials. <\/p>\n
The bug, discovered by Open Security during casual experimentation, highlights the risks of user-controlled URL handling in AI tools.<\/p>\n
SSRF vulnerabilities<\/a> occur when applications blindly fetch resources from user-supplied URLs, enabling attackers to coerce servers into querying unintended destinations. This can bypass firewalls, probe internal networks, or extract data from privileged services.<\/p>\n As cloud adoption grows, SSRF\u2019s dangers amplify; major providers like AWS, Azure, and Google Cloud expose metadata endpoints, such as Azure\u2019s at http:\/\/169.254.169.254, which contain instance details and API tokens.<\/p>\n The Open Web Application Security Project (OWASP) added SSRF to its Top 10 list in 2021, underscoring its prevalence in modern apps.<\/p>\n The researcher, experimenting<\/a> with Custom GPTs, a premium ChatGPT Plus tool for building tailored AI assistants, noticed the \u201cActions\u201d section. This lets users define external APIs via OpenAPI schemas, allowing the GPT to call them for tasks like weather lookups.<\/p>\n The interface includes a \u201cTest\u201d button to verify requests and supports authentication<\/a> headers. Spotting the potential for SSRF, the researcher tested by pointing the API URL to Azure\u2019s Instance Metadata Service (IMDS).<\/p>\n Initial attempts failed because the feature enforced HTTPS URLs, while IMDS uses HTTP. Undeterred, the researcher bypassed this using a 302 redirect from an external HTTPS endpoint (via tools like ssrf.cvssadvisor.com) to the internal metadata URL. The server followed the redirect, but Azure blocked access without the \u201cMetadata: true\u201d header.<\/p>\n Further probing revealed a workaround: the authentication settings allowed custom \u201cAPI keys.\u201d Naming one \u201cMetadata\u201d with value \u201ctrue\u201d injected the required header.<\/p>\n Success! The GPT returned IMDS data, including an OAuth2 token for Azure\u2019s management API (requested via \/metadata\/identity\/oauth2\/token?resource=https:\/\/management.azure.com\/).<\/p>\n This token granted direct access to OpenAI\u2019s cloud environment<\/a>, enabling resource enumeration or escalation.<\/p>\n The impact was severe. In cloud setups, such tokens could pivot to full compromise, as seen in past Open Security pentests where SSRF led to remote code execution across hundreds of instances.<\/p>\n For ChatGPT,<\/a> it risked leaking production secrets, though the researcher noted it wasn\u2019t the most catastrophic they\u2019d found.<\/p>\n Reported promptly to OpenAI\u2019s Bugcrowd program, the vulnerability was assigned high severity and received a swift patch. OpenAI confirmed the fix, preventing further exploitation.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post ChatGPT Hacked Using Custom GPTs Exploiting SSRF Vulnerability to Expose Secrets<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi8Ay6Zbs-0L0Z9xkRVbGbsmxQ2CIbaiP0f4Pni1mRNxxOW0x0_h2NpMAhyphenhyphenb2uBGrYX99RdwuwCIYe0ZYCt3caibygyuxqA0JiQWaYEGyrAhXiGgTF0bY0fngBFpRy-q20yp_-rsPn8MCjVyubQb0m6iazW637_LIw01T_PAbyqyao-WJfeO_7mcGcrnEbK\/s16000\/ChatGPT%2520Hacked%2520Using%2520Custom%2520GPTs1.webp?ssl=1\")
<\/figure>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi9MHrOed8k0Xm-_TtFw46ixgN8Xv65SWgOTkaOLADZlDbXcy0XHdK_mwvOr-yCjsIFuA1AbQarElamSKdaYa9kBiuw46l8kO_NlxPddallaLjHL-bx28e-_7n50fw7t7L6G8gkrsNeVUZ_YtRfTl4f-Dx7HSWOtdzMdw-71m-GrQ4iWAqndzeh7VmDGjQk\/s16000\/ChatGPT%2520Hacked%2520Using%2520Custom%2520GPTs2.webp?ssl=1\")
<\/figure>\n<\/div>\n