ChatGPT Crawler Flaw Enables DDoS Attacks on Websites

Home/Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update, Tips, vulnerability/ChatGPT Crawler Flaw Enables DDoS Attacks on Websites

ChatGPT Crawler Flaw Enables DDoS Attacks on Websites

A critical vulnerability in OpenAI’s ChatGPT API allows attackers to launch DDoS attacks on arbitrary websites by exploiting how the API handles HTTP POST requests to the endpoint https://chatgpt[.]com/backend-api/attributions. The issue lies in the processing of hyperlinks passed via the URLs parameter, posing significant risks to website availability and raising concerns for web administrators and enterprises.

ChatGPT Crawler Flaw

Benjamin explained that the ChatGPT crawler can be exploited to launch a DDoS attack on a victim website through an HTTP request to an unrelated ChatGPT API. This flaw in OpenAI’s software triggers a DDoS attack on the target site using multiple Microsoft Azure IP address ranges where the ChatGPT crawler operates.

The issue arises from poor programming practices, as OpenAI failed to implement checks for duplicate hyperlinks or set a limit on the number of URLs that can be submitted.

The risk of a DDoS attack is significant, as attackers can exploit the URL parameter to generate a high volume of requests. By crafting malicious HTTP requests, they can direct thousands of connections to a target website, disrupting its availability.

The API processes hyperlinks but lacks limits on the number of entries, allowing vast quantities in a single request. Each hyperlink triggers an HTTP request from OpenAI’s Microsoft Azure servers, causing a surge of simultaneous traffic to the target. Additionally, the infrastructure allows unlimited parallel requests, leading to potential service disruptions.

This vulnerability was discovered in January 2025 and reported to OpenAI and Microsoft, but as of January 10, 2025, neither had responded.

Recommendations

To mitigate this critical vulnerability, website owners and administrators should:

  • Monitor Traffic: Track incoming traffic for unusual spikes signaling a potential DDoS attack.
  • Apply Rate Limiting: Use rate-limiting to reduce the impact of surging requests from specific IP ranges.
  • Use Firewalls: Deploy web application firewalls (WAFs) to block malicious traffic.
  • Collaborate with ISPs: Work with Internet Service Providers to manage excessive traffic effectively.

The ChatGPT crawler vulnerability underscores the importance of strict quality control in software engineering, particularly for applications handling heavy web traffic. While OpenAI and Microsoft address the issue, web administrators must remain vigilant and take proactive measures to protect their infrastructure from potential DDoS attacks.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 238
By | 2025-02-05T09:18:43+05:30 January 21st, 2025|Internet Security, malicious cyber actors, Mobile Security, Security Advisory, Security Update, Tips, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!