A vulnerability in OpenAI’s ChatGPT could have allowed attackers to steal sensitive data by tricking users into pasting a single malicious prompt into conversations.

The flaw, discovered by Check Point Research, meant that information shared with OpenAI’s chatbot – including personal messages, uploaded documents, and AI-generated summaries – could be transmitted beyond the platform to computers controlled by attackers, without any warning or request for permission.

In one sandbox demonstration, as documented in a blog published on Monday, researchers created a chatbot presented as a personal doctor. A user uploaded a document containing medical test results and identifiable details, then asked for a diagnosis.

The system produced a response, as expected. At the time, the researchers show that key information – including the patient’s identify and the chatbots medical assessment – could be transmitted outside the platform without the user knowing.

And yet when asked directly, the system indicated that no data had been shared.

ChatGPT is designed so that data leaves the system only with a user’s knowledge and approval, such as when a chatbot connects to an external service.

Researchers said the vulnerability allowed information to bypass those safeguards entirely.

Because the system did not recognize the activity as data leaving the platform, “the leakage did not trigger warnings, did not require user confirmation, and remained largely invisible from the user’s perspective,” the report added.

The single ChatGPT prompt that could trigger data leak

The attack could be initiated through a single malicious prompt hidden inside content presented as productivity advice, a shared template or feature tips.

Once entered, the conversation itself became a source of data extraction.

“From that moment on, each new message in the chat became a potential source of leakage,” the researchers wrote, adding that attackers could also collect user input, text extracted from uploaded files, or condensed outputs such as summaries and conclusions generated by the AI model.

The vulnerability stemmed from the way ChatGPT handles tasks such as analyzing files and executing code inside a restricted computing environment.

The method exploited a basic internet function, DNS resolution, which is the process of translating human-readable domain names (e.g., google.com) into machine-readable IP addresses (e.g., 192.0.2.1).

This remained available inside the system even when other forms of communication were blocked because it was not a channel for data transfer and, therefore, was incorrectly deemed harmless.

By exploiting that pathway, an attacker could encode fragments of information into routine system requests and reconstruct them on their own infrastructure, without the activity appearing as a standard data transfer.

Check Point said the issue was not simply a failure of existing guardrails, but a gap in how those safeguards were designed. The security controls were focused on what the system was being asked to do – the intent of a prompt, or the use of approved tools – rather than how the underlying infrastructure behaved.

“AI guardrails often focus on policy and intent, while attackers exploit infrastructure and behavior.”

Check Point Research

Custom GPT tools and remote access risks identified

The same technique could also be embedded in custom versions of ChatGPT, known as GPTs, which are used in a wide range of specialized everyday and work-based tasks.

In those cases, users don't need to have pasted a malicious prompt, just interacting with the chatbot could expose sought-after personal info.

Check Point also demonstrated that the same pathway could be used to send commands into the system and retrieve results, creating a limited form of remote access to the underlying environment used for code execution.

“The research reinforces a hard truth for the AI era: don’t assume AI tools are secure by default."

Eli Smadja, head of research, Check Point Research

The issue was responsibly disclosed, and OpenAI confirmed it had already identified the underlying problem internally.

A full fix was deployed on February 20th closing the unintended communication path. There is no indication of exploitation in the wild.

It’s not the first time that GPT has been found to leak personal information. Last July internet sleuths discovered that ChatGPT’s shared links, originally designed for collaboration, were getting indexed by search engines.

---

Unlock more exclusive Cybernews content on YouTube.