Tenable Uncovers ChatGPT Flaws Enabling Data Theft

Tenable Research identified seven critical vulnerabilities in ChatGPT that allow data exfiltration, the bypassing of security mechanisms, and persistent compromise of the model. Although OpenAI addressed some of the reported issues, others remain active in ChatGPT-5, leaving potential exposure paths open.

“HackedGPT exposes a fundamental weakness in how large language models determine what information to trust,” says Moshe Bernstein, Senior Research Engineer, Tenable. “Individually, these flaws may appear small, but together they form a complete attack chain — from injection and evasion to data theft and persistence.”

According to Tenable Research, hundreds of millions of users rely on ChatGPT daily for business, research, and communication purposes. In Latin America, adoption rates of Generative AI tools, including ChatGPT, exceed the global average, increasing the relevance of security analysis in the region. The vulnerabilities collectively referred to as HackedGPT reveal a new class of AI threats known as indirect prompt injection.

This attack technique, shared through a Tenable press release, allows malicious actors to embed hidden instructions within legitimate-looking websites or comments, which may cause the model to execute unauthorized commands. These vulnerabilities affect ChatGPT’s browsing and memory features, both of which handle real-time internet data and store user information, creating opportunities for manipulation and exposure.

Tenable Research identified seven attack techniques during testing of OpenAI’s ChatGPT-4o, several of which persisted in ChatGPT-5 at the time of publication.

The vulnerabilities include:

1. Indirect prompt injection through trusted websites: Attackers embed commands in legitimate online content, causing ChatGPT to follow malicious instructions when processing a compromised page.

2. Zero-click prompt injection: The model may execute hidden commands without user interaction when searching the web, potentially leaking sensitive information through a single prompt.

3. One-click prompt injection: Malicious commands embedded in seemingly safe links can take control of a conversation with a single click.

4. Security mechanism bypass: Attackers exploit trusted URL wrappers, such as “bing.com/ck/a?...,” to redirect ChatGPT to unsafe destinations, bypassing its built-in link validation.

5. Conversation injection: Attackers use ChatGPT’s browsing feature to insert hidden instructions that the model interprets as part of the conversation.

6. Malicious content concealment: Formatting errors allow attackers to hide malicious code inside markdown text or code blocks, appearing benign to users while remaining executable by the model.

7. Persistent memory injection: Malicious instructions can be stored in ChatGPT’s long-term memory, remaining active across multiple sessions and continuing to leak private information until manually deleted.

If exploited, these vulnerabilities could allow attackers to insert hidden commands directly into user conversations or even into the system’s long-term memory, creating ongoing risks of compromise across multiple sessions. They could also enable the theft of sensitive information stored in chat histories or connected third-party services, such as Google Drive or Gmail, expanding the potential attack surface beyond the application itself.

In addition, compromised models could be used to exfiltrate data through browsing or web integrations, silently transferring private information to unauthorized destinations. Finally, attackers could manipulate generated responses to disseminate misinformation or subtly influence user behavior, undermining the integrity and reliability of AI-assisted communication.

Tenable Research reported the findings to OpenAI prior to publication. According to the organization, some vulnerabilities were mitigated, while others remained partially unaddressed. Bernstein recommends that AI providers reinforce their systems by validating security controls, isolating browsing and memory functions, and testing for cross-context attacks.

Security Recommendations for Enterprises

Tenable recommends that enterprise security teams treat AI platforms as active attack surfaces rather than passive assistants, integrating them into broader cybersecurity monitoring frameworks. It advises organizations to continuously audit and monitor AI integrations to detect manipulation attempts or potential data leaks. Unusual requests or unexpected outputs should be investigated promptly, as they may indicate prompt injection or other forms of compromise. 

The company also emphasizes the need to test and strengthen defenses against injection and exfiltration pathways to reduce the likelihood of persistent threats. Finally, Tenable highlights the importance of implementing robust data classification and governance controls to ensure responsible and secure use of AI across corporate environments.

“This research is not solely about exposing flaws; it is about redefining how AI security should be approached,” says Bernstein. “Organizations must assume that AI tools can be manipulated and implement safeguards accordingly. That includes governance, data protection, and continuous testing to ensure these systems work for users, not against them.”

As AI systems continue to integrate into enterprise operations, Tenable Research emphasizes that exposure management and continuous security monitoring are essential components of digital risk mitigation.