A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.
According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.
Read more…
Source: Silicone Angle News
Related:
- GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware
July 9, 2026
In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. GigaWiper is particularly notable for its makeup. It’s not a single, ...
- 6.9 million driver’s license numbers stolen from AssuranceAmerica
July 9, 2026
Insurance provider AssuranceAmerica has confirmed a data breach affecting the personal information and driver’s license numbers of up to 6.9 million people. AssuranceAmerica provides car and rental insurance to customers across 14 US states through a network of over 9,500 independent agents. The breach notice letter also mentions information about customers’ auto insurance policies and accounts, their drivers and ...
- Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation
July 7, 2026
In April 2026, Unit 42 researchers identified a financially motivated campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small- and medium-sized business victims worldwide. Attackers lure victims via malvertising to pages for downloading files that impersonate cracked versions of copyright-protected software. Upon execution, the loader drops and runs both Vidar stealer and ...
- Fake Netflix, Coca-Cola, and FIFA job scams target marketers
July 7, 2026
Attackers are impersonating major companies and recruiters to target marketing professionals, using trusted services and browser tricks to make the scam look legitimate. A BleepingComputer article detailing the campaign found at least 34 domains impersonating high-value companies, including Netflix, Coca-Cola, Adidas, and FIFA. The lure is a fake job interview or scheduling request from a “recruiter” representing one of ...
- Hacktivists call out Trump by hacking and defacing US Army websites
July 7, 2026
The U.S. Army has reportedly fixed two of its websites that had been defaced to display pro-Kurdish messages and to call out President Donald Trump, the latest case of hackers compromising systems run by the federal government in recent months. Security researcher Ronald Lovelace told Cyberscoop, which first reported the defacements, that error pages were modified on two U.S. Army ...
- When checking the URL isn’t enough: a Device Code Phishing attack via a Microsoft website
July 6, 2026
One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, Kaspersky encountered a campaign where attackers instruct victims to input data directly ...

