SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Digital illustration ai brain cracked computer screen vulnerabilities threats
#
Data Protection
#
AI Security
#
LLMs

Seven critical ChatGPT flaws expose users to data theft risks

Fri, 7th Nov 2025
Author image
By Shannon Williams, Journalist

Tenable has published research identifying seven critical vulnerabilities in OpenAI's ChatGPT, raising concerns about the risk of data theft, hijacking, and persistent compromise for users of the platform.

The findings, produced by Tenable's Cloud Security Research team, highlight exposures in both ChatGPT-4 and ChatGPT-5. The researchers state that, while OpenAI has resolved some issues, other vulnerabilities remain unaddressed as of publication, leaving open potential avenues for malicious exploitation.

Seven identified vulnerabilities

The investigation details seven vulnerabilities and associated attack techniques capable of bypassing ChatGPT's in-built safety mechanisms. These include indirect prompt injection, 0-click and 1-click attacks, and persistent memory injection, which collectively present a chain of compromise: from injection and evasion to data theft and persistence.

Tenable describes indirect prompt injection as a technique where hidden instructions, placed in seemingly innocuous external websites or comments, can trick ChatGPT into executing unauthorised actions. This poses a risk to both the web browsing and memory functionalities of ChatGPT, which interact with live internet data and store user information, thus broadening the scope for manipulation and data exposure.

"HackedGPT exposes a fundamental weakness in how large language models judge what information to trust," said Moshe Bernstein, Senior Research Engineer at Tenable. "Individually, these flaws seem small - but together they form a complete attack chain, from injection and evasion to data theft and persistence. It shows that AI systems aren't just potential targets; they can be turned into attack tools that silently harvest information from everyday chats or browsing."

Details of attack methods

The research outlines several specific attack vectors, including:

  • Indirect prompt injection via trusted sites: Attackers hide commands in legitimate online content, such as blog comments. If ChatGPT reads this content while browsing, it may unwittingly execute malicious instructions.
  • 0-click indirect prompt injection in search: Here, users may be exposed even without clicking anything. ChatGPT's web search could return pages with hidden malicious code that, when simply asked a question, prompt the model to execute unauthorised actions.
  • 1-click prompt injection: Malicious actors can embed harmful commands into seemingly safe links. A user clicking such a link may inadvertently trigger the execution of these commands by ChatGPT.
  • Safety mechanism bypass: Attackers employ trusted wrapper URLs that disguise the real destination, tricking ChatGPT into accepting malicious sites as safe.
  • Conversation injection: Attackers exploit the division between ChatGPT's browsing and conversation functionalities to insert instructions that are subsequently repeated in the conversation context.
  • Malicious content hiding: Formatting bugs enable attackers to conceal instructions within code or markdown, visible as clean text to humans but readable by the model.
  • Persistent memory injection: Vulnerabilities in ChatGPT's memory feature allow attackers to plant instructions that persist across sessions until actively removed, enabling ongoing data leaks or manipulations.

The findings emphasise the potential impact for users, especially considering ChatGPT's broad user base. If exploited, the vulnerabilities could be used to insert persistent, unauthorised commands; steal sensitive chat history or data from connected services such as Google Drive or Gmail; exfiltrate information via web integrations; or manipulate responses to misinform users.

OpenAI response and ongoing risk

Tenable reports that it conducted its investigation following responsible disclosure practices and acknowledges that OpenAI has remedied certain vulnerabilities. However, several issues identified in ChatGPT-5 reportedly remain unaddressed, continuing to pose exposure risks.

The report recommends that AI vendors strengthen their defences, particularly regarding prompt injection. Suggested measures include verifying the effectiveness of safety mechanisms, isolating browsing and memory features to minimise the risk of cross-context attacks, and maintaining vigilance for manipulation or exfiltration attempts.

Recommendations for security teams

Tenable advises security professionals to approach AI tools as active attack surfaces and not as passive systems. Key recommendations include regular auditing and monitoring of AI integrations for signs of manipulation, investigating unusual activity for indications of prompt injection, testing and upgrading defences against known attack vectors, and establishing data classification and governance controls tailored for AI environments.

"This research isn't just about exposing flaws - it's about changing how we secure AI," Bernstein added. "People and organisations alike need to assume that AI tools can be manipulated and design controls accordingly. That means governance, data safeguards, and continuous testing to make sure these systems work for us, not against us."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Fortinet moves AI data centre security onto NVIDIA DPUs
Veeam completes USD $1.725b AI security takeover
AI ‘agentic’ tools to drive surge in cyber fraud by 2026
Why agentic AI is the game-changer SOCs need
Check Point unveils AI-focused upgrade to Quantum firewall

Top stories

Tenable hires Microsoft veteran Vlad Korsunsky as CTO
Axis outlines five key security tech trends for 2026
Prompt injection & vibe coding to reshape mobile security
CISOs face rising scrutiny as AI escalates cyber risk
LevelBlue adds unlimited Tenable scans to USM platform