OpenAI flaw allows unlimited credit on new accounts

Published: 4 May 2023
Last updated: 4 May 2023
OpenAI logo
By Shutterstock

By abusing the flaw, users could get unlimited credits for testing different OpenAI projects, including ChatGPT.

OpenAI offered free credits (around $7) to users willing to try its open AI projects. Cybersecurity company Checkmarx said it had found a flaw that allowed users to abuse the trial and get unlimited credit on new accounts.

ADVERTISEMENT

“By intercepting and modifying the OpenAI API request, we’ve identified a vulnerability that allows us to bypass these restrictions. This allowed us to sign up for an arbitrary number of user accounts using the same phone number, getting as many free credits as we wanted,” researchers said.

To register for the trial, a user had to enter their email address, click on the activation link sent to the inbox, enter a phone number and then enter the validation code received by SMS. Both email and phone numbers had to be unique for the user to get free credits.

Bypassing the phone number restriction proved challenging to the researchers. They tried making subtle changes to the phone number, like prepending the country code. Ultimately, they bypassed the requirement by using different variations of the same phone number.

“This would allow a malicious user to have multiple accounts with as many credits as they need while effortlessly using the same phone number,” researchers explained.

But this didn’t seem enough for them since they wanted to “increase credit value to a more respectable and significant sum”.

Researchers then put the open-source tool REcollapse to use. This allows users to fuzz inputs and bypass validations, among other things.

“After some initial testing, some patterns were observed to be sanitized by OpenAI API. Using Unicode encoding on certain non-ASCII (American Standard Code for Information Interchange) bytes allowed us to bypass it and register more accounts,” they explained.

In general terms, this makes variations of the same phone number look different and appear unique, allowing users to register multiple accounts and abuse OpenAI trial credits.

ADVERTISEMENT

The company fixed the issue upon notification.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked