Chatting with Caution: Security flaws found in ChatGPT plugins

ChatGPT
ChatGPT

Nevertheless, plugins are also introducing new breach capabilities where user data may be at risk. Still, the risk of data loss remains unknown. With identified vulnerabilities including unauthorized account access and leaking of sensitive information, it would be easy for even an inexperienced hacker to gain access.

Plugin installation is initially hampered due to limited background information on its usefulness. Unlike secure systems, ChatGPT behaves differently because it does not verify the user’s initialization process during installation. Hackers lure users by sending links with these installation commands. Ignorant users click on the bait hook without knowing and this allows the attacker to take control of a malicious app, which will gain permissions from their account. Once installed, the malware will likely be programmed to steal chat conversations and any sensitive data that is exchanged.

Another crack exploits a flaw in the AskTheCode plugin that interconnects Github and ChatGPT accounts. This plugin provides a new account to store Gitman credentials thus reducing security risks. WooesMemberIdExploit does not require any password. The plugin establishes the ChatGPT user and grants access to all repositories associated with this account.

Another weakness of its kind is the leaking of plugins that can be used to alter the site’s processes and others. You can also spy using links that cause users to download plugins with their credentials and again hand over control of the account to the attacker.

These findings underscore the need to fix security vulnerabilities in ChatGPT’s plugin system that could create the potential for security breaches. This is the preventive approach that needs to be adopted during the early stages of exploitation to avoid any unauthorized data usage and provide a secure experience to all users.

Source