Cyber Threat Briefing

A new kind of threat

Tenable Research has uncovered seven previously unknown vulnerabilities in OpenAI’s ChatGPT service that could be exploited to exfiltrate users’ personal data, persist beyond a single session and even bypass built‑in safety controls. The flaws affect GPT‑4o and GPT‑5, the latest models behind ChatGPT, and highlight how malicious actors can abuse large‑language models (LLMs) to change their behaviour in ways developers did not intend. Tenable reported the issues to OpenAI, which has fixed some of them; however, the discovery underscores the growing “prompt injection” problem—malicious instructions hidden in data that cause an AI to act against its owner’s interests. The research quickly went viral across infosec circles, with #ChatGPT and #HackedGPT trending on social media and sparking debate about the risks of generative AI.

Technical details / Who’s affected

Tenable’s analysis grouped the issues into seven attack techniques:

• Indirect prompt injection via trusted sites – Attackers can embed malicious instructions in the comments or metadata of web pages. When a user asks ChatGPT to summarise the page, the model unknowingly executes the hidden instructions.
• Zero‑click prompt injection (search context) – Simply asking ChatGPT about a particular site can trigger hidden instructions if the site has been indexed by search engines and contains malicious prompts.
• One‑click prompt injection via the chatgpt.com/?q parameter – Crafting a URL with a ?q= parameter automatically executes a supplied prompt when loaded, allowing attackers to inject commands.
• Safety‑bypass through allow‑listed domains – Malicious URLs can be disguised as Bing ad‑tracking links because bing.com is on ChatGPT’s safe list, enabling the attacker to serve hidden instructions.
• Conversation injection – Adversaries can embed prompts into a web page and then ask ChatGPT to summarise it. The injected instructions persist in subsequent interactions, causing the model to drift from its original task.
• Malicious content hiding – A bug in ChatGPT’s markdown renderer allows attackers to hide malicious prompts by placing them on the same line as a code‑block delimiter, so the instructions aren’t displayed to the user.
• Memory injection – By concealing instructions in a webpage and asking ChatGPT to summarise it, attackers can poison the model’s “memory” so that later queries leak data.

In addition to these methods, security researchers flagged related exploitation techniques across the AI ecosystem—prompt jacking in Anthropic’s Claude, agent‑session smuggling to hijack cross‑agent communication, “prompt inception” to amplify false narratives and a shadow‑escape zero‑click attack that steals sensitive data via model‑context protocols. Tenable warned that the vulnerabilities allow an attacker to exfiltrate chat histories, personal information and potentially tokens, and that the issues arise because large‑language models implicitly trust content drawn from the web. The problem is particularly concerning for organisations adopting AI assistants for customer support or internal productivity tools.

Industry or government response

OpenAI has patched several of the issues disclosed by Tenable. Tenable’s blog describes the flaws as including “unique indirect prompt injections, exfiltration of personal user information, persistence, evasion and bypass of safety mechanisms.” The company emphasised that prompt injection is an inherent challenge for LLMs and cautioned that there may be no systematic fix in the near future. Meanwhile, researchers from Texas A&M, the University of Texas and Purdue University warned that training AI models on “junk data” can lead to LLM brain rot, making them more susceptible to poisoning.

Governments have also begun to respond. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added vulnerabilities affecting AI‑related products to its Known Exploited Vulnerabilities catalogue, and has urged federal agencies to audit their AI tools. Europe’s upcoming AI Act includes provisions requiring developers to demonstrate how they mitigate prompt injection and data‑exfiltration risks. These moves signal regulatory pressure to harden AI models against adversarial manipulation.

Why this matters

ChatGPT is one of the most widely used generative AI services; millions of people rely on it for research, coding and personal advice. The discovery that attackers can trick the model into leaking private data or executing hidden instructions undermines trust and shows that LLMs remain an immature technology. The research also demonstrates that connecting AI to external tools (browsers, search engines, plug‑ins) dramatically increases the attack surface. As Tenable put it, vendors must ensure all safety mechanisms—such as URL allow‑lists and content filtering—are robust.

How to stay safe

1. Be cautious with summaries. Don’t ask ChatGPT to summarise pages from unknown or untrusted sources—malicious prompts can hide in comments or metadata.
2. Check URLs. Avoid suspicious links, especially those that use the ?q= parameter or look like disguised ad‑tracking links.
3. Keep AI tools up to date. Use the latest versions of ChatGPT and other AI assistants.
4. Limit sensitive information. Treat AI chats like a public forum; never share confidential data.
5. Implement input sanitisation. Developers integrating LLMs should strip HTML comments and other hidden content before sending data to the model.
6. Monitor model output. Organisations using AI assistants should log interactions and watch for unusual behaviour.
7. Stay informed. Follow BadActyr and official advisories for ongoing updates on AI vulnerabilities.

1. Ravie Lakshmanan – The Hacker News, “Researchers Find ChatGPT Vulnerabilities That Let Attackers Trick AI Into Leaking Data,” Nov 5 2025.
2. Moshe Bernstein & Liv Matan – Tenable Blog, “HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage,” Nov 5 2025.