Scribd
Upload
254 views3 pages

Account Takeover in ChatGPT

An account takeover vulnerability was found in ChatGPT that allowed hackers to take over any user's account with just one click. The vulnerability involved a technique called web cache deception, where a hacker could craft a URL ending in .css to trick the server into caching and revealing a user's private session details including their access token. With the access token, the hacker could then access and control the victim's account. Web cache deception works by manipulating the URL path to force sensitive data to be cached and revealed as public content. OpenAI has since fixed this vulnerability in ChatGPT.

Uploaded by

Mihai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
254 views3 pages

Account Takeover in ChatGPT

An account takeover vulnerability was found in ChatGPT that allowed hackers to take over any user's account with just one click. The vulnerability involved a technique called web cache deception, where a hacker could craft a URL ending in .css to trick the server into caching and revealing a user's private session details including their access token. With the access token, the hacker could then access and control the victim's account. Web cache deception works by manipulating the URL path to force sensitive data to be cached and revealed as public content. OpenAI has since fixed this vulnerability in ChatGPT.

Uploaded by

Mihai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as ODT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Account takeover in ChatGPT

Hello everyone. My name is Diego Tellaroli, and in today’s article, I am going to explain how a hacker
could exploit a critical vulnerability that allowed him to take over an account in ChatGPT. This way,
the hacker could invade any ChatGPT user’s account with just a single click, potentially gaining access
to confidential information and being able to perform any action on the victim’s account. This
vulnerability was found by Nagli so all credits go to him.

To understand this vulnerability first, let’s understand what an account takeover is: An
account takeover is a type of cyber attack where a hacker gains unauthorized access to a user’s online
account, typically by stealing the user’s login credentials or exploiting vulnerabilities in the system.
Once the hacker gains access to the account, they can perform various malicious activities, such as
stealing personal information, making fraudulent transactions, or spreading malware.

To achieve an account takeover on ChatGPT and successfully obtain the victim’s


account, we exploited another vulnerability, a web cache deception vulnerability. With this
vulnerability, it is possible to hack into any user’s account with just one click.

Ok, but what is a web cache deception?


Web Cache Deception (WCD) is an attack in which an attacker deceives a caching proxy into
improperly storing private information sent over the internet and gaining unauthorized access to that
cached data. It was proposed by Omer Gil, a security researcher in 2017.

How web cache deception works


When the browser makes a request to a website, the connection usually passes through the CDNs
(Content Delivery Network).
CDNs are a geographically distributed network of proxy servers and their data centers, which caches
the local copies of web content to provide faster access to the users by reducing their network latency,
and thus reducing the load on web servers.
Caching servers have no safeguards to authenticate users and prevent information, and it only stores
non-user specific static or public content. And all the user-specific dynamic contents get routed to the
main servers of the website or service a user interacts with.
The web caching deception (WCD) attack works by the technique of path confusion attack. It
manipulates the URL path by which the cache server is forced to store, and the sensitive data gets
revealed as public content.

What can be cached?


We can cache public and static files that do not contain any sensitive information, such as:
• General JavaScript files
• Style sheets
• Downloadable content
• Media files
To exploit the vulnerability in ChatGPT to take over an account, an attacker could craft a .css path to
the session endpoint and send the link to the victim. When the victim opens the link, the response is
cached and the attacker can harvest the victim’s credentials and take over their account. It is a critical
web cache deception bug that could have allowed attackers to access user information such as names,
emails, and access tokens, which OpenAI’s API would fetch from the server.

The attack
We could access https://chat.openai.com/api/auth/session and the API will return our account data, such
as name, email, ID, and the most critical one: our access token.

Now if we go to
https://chat.openai.com/api/auth/session/victim.css, we will find the same content as /api/auth/session,
regardless of whether the victim.css file exists on the server. It will return the user’s data, such as the
access token.

This way, the server’s web cache will


see the “.css” extension and interpret it as a Cascading Style Sheets (CSS) file. As the server is
configured to cache Style Sheets files, victim.css will be cached by the server with the victim’s session
content (data and access token).
Hacker accesses victim.css getting victim’s data cached
Now that victim.css has been cached with the victim’s authentication data, the hacker could simply go
to https://chat.openai.com/api/auth/session/victim.css and retrieve all of the victim’s authentication
data, such as the access token. With the access token, the hacker could be able to authenticate himself
and gain access to the victim account.
As victim.css was cached by the server because it was mistaken for a style sheet file, the hacker can
easily view the victim’s session data without any blocking or difficulty.
In this way, the hacker would successfully achieve an Account takeover on the victim’s account. He
would only need to wait for the victim to click on a link with a non-existent css, and then immediately
obtain their access token, making this an account takeover with just one click.

How to prevent web cache deception?


Web cache deception is easier to exploit and hence it belongs to the group of the most critical
vulnerabilities.
The following are the most opted mitigation methodologies:
1. The cache server should run based on the cache-control headers set by your application, and
only cache the files if their HTTP caching headers allow it.
2. Cache the files only depending upon their Content-Type header, rather than solely checking the
file extensions.
3. The server should return HTTP-errors such as 302, or 404 based on the non-existent files being
requested.
I hope you have enjoyed this article and learned new things, such as what an Account Takeover and a
web cache deception are. This article was made for educational purposes only. The vulnerability has
already been fixed in ChatGPT at the time this article was published. You can check the original twitter
thread here.

You might also like