ChatGPT Crawler Vulnerability Abused to Trigger Reflexive DDoS Attacks

Security researchers have uncovered a severe vulnerability in OpenAI’s ChatGPT API, allowing attackers to exploit its architecture for launching Reflective Distributed Denial of Service (DDoS) attacks.

This loophole, characterized by a high severity CVSS score of 8.6, raises significant concerns regarding the scalability and security of AI services deployed on cloud platforms, specifically Microsoft’s Azure.

Overview of the Vulnerability

The vulnerability arises from the ChatGPT API’s inadequacies in processing HTTP POST requests sent to https://chatgpt.com/backend-api/attributions.

Attackers can craft a single request containing a multitude of URLs—potentially thousands—without the system enforcing any limits on input validation.

As a result, the API unwittingly sends simultaneous requests to a targeted website from multiple IP addresses associated with Microsoft Azure, overwhelming the victim’s server.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

When a well-formed HTTP POST ...