A vulnerability in ChatGPT could expose payment-related information for some customers of the AI tool and reveal titles from the chat history of some active users, OpenAI has revealed .
In a blog post published March 24, 2023, the company provided details of a data breach caused by a bug in an open source library, forcing ChatGPT to go offline temporarily on Monday, March 20. it was done.
After patching the vulnerability, OpenAI was able to restore both the Chat GPT service and later chat history functionality, with the exception of a few hours of history.
The company, co-founded by Twitter and Tesla CEO Elon Musk, said the bug “unintentionally displayed payment-related information for 1.2% of ChatGPT Plus subscribers who were active within a given nine-hour window. It may have been,” he said.
In this window, before ChatGPT went offline on March 20th, some users were given another active user’s first and last name, email address, payment address, last four digits of credit card number, and valid credit card number. I can see the deadline. However, OpenAI stressed that “the full credit card number has never been published.”
The company added that the number of users whose data was exposed in this manner was “very small” and that it “confirms that there is no ongoing risk to users’ data.”
Affected customers have been notified that their payment information may have been exposed.
Data may have been accessed in two ways within a given nine-hour window:
- Open the subscription confirmation email sent on March 20th between 1:00am and 10:00am PST. This is because some of these emails generated during that period were sent to the wrong users as a result of a bug, showing payment information.
- On ChatGPT,[マイ アカウント],[サブスクリプションの管理]you may have seen payment information for another active ChatGPT user.
OpenAI has acknowledged that these issues may have occurred prior to this 9 hour window, but has not seen any such instances.
This vulnerability was discovered in redis-py, an open-source library for Redis clients. This was due to OpenAI inadvertently introducing a change to the server that caused a spike in Redis request cancellations and a small chance of each connection returning bad data.
AI chatbot developers use Redis to cache user information on their servers so they don’t have to check the database on every request.
OpenAI has apologized for the violation and outlined the steps it has taken to improve its system. These include adding verbose checks to ensure that data returned by Redis caches match the requesting user, and programmatically examining logs to ensure that all messages are only available to the correct user. includes doing.
The company said: It’s a responsibility that we take incredibly seriously. Unfortunately, we didn’t live up to that commitment and user expectations this week. We once again apologize to our users and the entire ChatGPT community. We will work hard to rebuild trust. ”
After the chatbot’s big announcement in November 2022, many security issues were raised with ChatGPT. These include concerns that as the technology matures, it will be used to create malware and sophisticated phishing campaigns.
Additionally, data privacy experts have criticized OpenAI’s data scraping methods for collecting the data that ChatGPT is based on.
Editorial image credit: AlpakaVideo / Shutterstock
