Technology News
English Edition
  • Home
  • Ai
  • Ai News
  • OpenAI’s ChatGPT Crawler Can Be Used to Trigger DDoS Attack on Websites, Researcher Claims

OpenAI’s ChatGPT Crawler Can Be Used to Trigger DDoS Attack on Websites, Researcher Claims

A security researcher found a vulnerability in ChatGPT's wrapper that could allow thousands of requests to be sent to a website, like a DDoS attack.

Written by Akash Dutta, Edited by David Delima | Updated: 21 January 2025 19:02 IST
OpenAI’s ChatGPT Crawler Can Be Used to Trigger DDoS Attack on Websites, Researcher Claims

Photo Credit: Reuters

The researcher claimed to not have heard from OpenAI despite reporting the vulnerability multiple times

Highlights
  • ChatGPT crawler can send thousands of network requests to a website
  • Researcher claimed the API does not deduplicate URLs to the same website
  • The vulnerability was given a high severity rating by the researcher
Advertisement

OpenAI's ChatGPT application programming interface (API) has a vulnerability that can be exploited to initiate a distributed denial of service (DDoS) attack on websites, according to details shared by a cybersecurity researcher. The chatbot can reportedly be used to send thousands of network requests to a website using the ChatGPT crawler. The researcher claims that the vulnerability, which was given a high severity rating, is still active with no response from the company on when the issue will be fixed.

ChatGPT API Allows Multiple Parallel Network Requests to Same Website

In a GitHub post shared earlier this month, Germany-based security researcher Benjamin Flesch detailed the vulnerability that exists within the ChatGPT API. The researcher also posted code for a proof of concept that sends 50 parallel HTTP requests to a test website, revealing how the bug can be used to trigger a DDoS attack.

According to the Flesch, the vulnerability surfaces when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions. It is a method to send data to a server, typically used by the API endpoint to create new resources. While executing this function, the ChatGPT API requires a list of hyperlinks in the URL parameter.

In what appears to be a flaw in its API, OpenAI does not check whether a hyperlink to the same resource appears multiple times in the list, according to the researcher. Since hyperlinks to a website can be written in different ways, this results in the crawler sending multiple parallel network requests to the same website. Additionally, Flesch claims OpenAI does not enforce a limit on the maximum number of hyperlinks that can be added to the URL parameter and sent in a single request.

As a result, a malicious actor can potentially send thousands of hits to a website, which could quickly overwhelm its server. The security researcher gave this vulnerability a high severity “8.6 CVSS” rating since it is network-based, has low complexity in execution, and requires no privileges or user interaction but can cause a high impact on availability.

Flesch claimed to have reached out to both OpenAI and Microsoft (as its servers host the ChatGPT API) about the vulnerability multiple times via different channels after discovering the bug in January. He claimed that he reported it to the OpenAI security team, OpenAI employees via reports, the OpenAI data privacy officer, as well as Microsoft's security and Azure network operations team.

Despite making several attempts to flag the vulnerability, the researcher claimed that the issue is neither resolved nor has the AI firm acknowledged its existence. Gadgets 360 staff members were not able to verify the presence of the bug on the chatbot.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: OpenAI, ChatGPT, Cybersecurity, DDoS, AI, Artificial Intelligence
Akash Dutta
Akash Dutta
Akash Dutta is a Senior Sub Editor at Gadgets 360. He is particularly interested in the social impact of technological developments and loves reading about emerging fields such as AI, metaverse, and fediverse. In his free time, he can be seen supporting his favourite football club - Chelsea, watching movies and anime, and sharing passionate opinions on food. More
JioCoin Surfaces on JioSphere Browser as Blockchain-Based Engagement Reward Token, Could Launch Soon

Related Stories

OpenAI’s ChatGPT Crawler Can Be Used to Trigger DDoS Attack on Websites, Researcher Claims
Comment
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. iQOO Neo 10R Pricing and AnTuTu Score Teased Ahead of India Launch
  2. Powerbeats Pro 2 With Heart Rate Monitor Launched in India: See Price
  3. Vivo T4x 5G India Launch Timeline, Price Range, Key Features Leaked
  4. Realme P3 Pro's Glow in the Dark Design Teased Ahead of India Launch
  5. Here's Why You Should Update Your iPhone to iOS 18.3.1 Right Away
#Latest Stories
  1. Powerbeats Pro 2 With Heart Rate Monitor, Up to 45 Hours Total Battery Life Launched in India
  2. Elden Ring Nightreign's Procedurally Generated Map Will See 'Large-Scale Changes to Terrain'
  3. US SEC and Binance File Joint Motion in US Court Seeking 60-Day Pause on Legal Battle
  4. RBI Governor Says Crypto Discussion Paper Will Clarify India’s Stance on Virtual Assets; Industry Reacts
  5. Microsoft Hit by French Antitrust Probe Over Rivals’ Bing Access
  6. Poco M7 5G Design, Key Features Reportedly Spotted on Google Play Console
  7. Anthropic’s Economic Index Reveals Software Engineering Is Most Impacted by AI
  8. Newly Confirmed Super-Earth HD 20794 d May Support Life in Habitable Zone
  9. Instagram Brings Teen Accounts With Additional Protections to Users in India
  10. Motorola Razr+ 2025 Design, Key Features Leaked; May Arrive as Razr 60 Ultra in Select Markets
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.
Trending Products »
Latest Tech News »