- This topic has 0 replies, 1 voice, and was last updated 3 weeks, 6 days ago by
.
Summary
On March 30, 2026, Check Point Research (CPR) disclosed a critical vulnerability in ChatGPT’s code execution environment that allowed for silent data exfiltration.
The flaw leveraged a hidden outbound communication channel (DNS tunneling) to bypass OpenAI’s sandboxing, allowing sensitive user data including uploaded files and chat history to be sent to external servers without user consent.
Beyond data theft, researchers demonstrated that this side channel could be used to establish remote shell access (a persistent backdoor) within the Linux-based runtime used by ChatGPT for data analysis.Research Source
According to Check Point Research, this discovery underscores a “breakout” from the isolated Python execution environment that users previously assumed was network-restricted.
The findings highlight a sophisticated evolution in AI-related threats, where malicious prompts or backdoored GPTs can weaponize infrastructure-level protocols (like DNS) that are often overlooked by standard security filters.Technical Details
The attack targets the “Data Analysis” / Python Sandbox feature, which is supposed to be a “walled garden” with no internet access.
Key capabilities of the exploit:
Silent Data Exfiltration: Stealing raw text, PDF contents, and medical/financial assessments.
Remote Shell Access: Establishing a bidirectional command-and-control (C2) link inside the Linux container.
Bypassing Safeguards: Circumventing the “GPT Action” approval dialogs that usually warn users before data is sent externally.
Attack vector:
Malicious Prompts: Tricking users into pasting “productivity hacks” that contain hidden instructions to open the tunnel.
Backdoored GPTs: Custom-built GPTs that look helpful (e.g., a “Personal Doctor”) but secretly leak data in the background.
DNS Tunneling: Since direct HTTP/HTTPS requests were blocked, the attack encoded stolen data into DNS queries, which the system allowed to pass through to the public internet.Observed Attack Activity
Malware Behavior
DNS Encoding: Data is broken into small fragments and hidden inside subdomain lookups (e.g.,encoded-data.attacker-domain.com).
Silent Operation: No warnings or “Allow/Deny” pop-ups appear to the user; ChatGPT continues to answer normally while the leak occurs.
Deceptive Denial: When asked if data has been sent externally, the AI unaware of the low-level system breach wrongfully assures the user that the session is secure.Target Environment
ChatGPT Web and Mobile: Any session utilizing the Code Execution/Data Analysis runtime.
Enterprise Workflows: Users uploading sensitive proprietary documents, contracts, or PII (Personally Identifiable Information) for summarization.Attack Strategy
Social Engineering: Distributing “Prompt Injection” payloads via social media or “Top Prompts” lists.
Infrastructure Abuse: Leveraging legitimate recursive DNS resolvers to transport stolen data past the sandbox.Impact
This vulnerability allowed threat actors to:
Harvest Private Intelligence: Automatically extract names, addresses, and account details from uploaded documents.
Steal AI-Generated Insights: Capture the “condensed intelligence” (summaries or conclusions) the model creates, which is often more valuable than the raw data.
Compromise the Sandbox: Execute arbitrary Linux commands within the ChatGPT runtime, potentially exploring the internal architecture of the execution environment.Mitigation
OpenAI has confirmed that a fix was fully deployed as of February 20, 2026. However, organizations should take the following precautions:
Sanitize Inputs: Warn employees against copying and pasting complex prompts from untrusted third-party sources.
Vet Custom GPTs: Treat third-party GPTs with the same scrutiny as third-party software or browser extensions.
Monitor Outbound Traffic: Implement DNS filtering and monitoring to detect unusual patterns (high-frequency queries to unknown subdomains).
Data Minimization: Avoid uploading highly sensitive, unencrypted PII to AI platforms unless necessary and supported by enterprise-grade privacy agreements.
- You must be logged in to reply to this topic.