A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.
According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.
Read more…
Source: Silicone Angle News
Related:
- Fortinet admits FortiGate SSO bug still exploitable despite December patch
January 23, 2026
Fortinet has confirmed that attackers are actively bypassing a December patch for a critical FortiCloud single sign-on (SSO) authentication flaw after customers reported suspicious logins on devices supposedly fully up to date. In a new advisory, Fortinet said it had identified a fresh attack path being used to abuse SAML-based SSO in FortiOS, even on systems ...
- Researchers say Russian government hackers were behind attempted Poland power outage
January 23, 2026
A failed December effort to bring down parts of Poland’s energy grid was the work of Russian government hackers known for causing past energy disruptions, according to a security research firm that investigated the incident. Last week, Polish Energy Minister Milosz Motyka told reporters that the attempted cyberattack on December 29 and 30 saw hackers targeting ...
- VMware vCenter Server bug fixed in 2024 under attack today
January 23, 2026
You’ve got to keep your software updated. Some unknown miscreants are exploiting a critical VMware vCenter Server bug more than a year after Broadcom patched the flaw. The vulnerability, tracked as CVE-2024-37079, is an out-of-bounds write flaw in vCenter Server’s implementation of the DCERPC protocol that earned a 9.8 out of 10 CVSS rating. In other ...
- Data of 72 million Under Armour customers appears on the dark web
January 22, 2026
When reports first emerged in November 2025 that sportswear giant Under Armour had been hit by the Everest ransomware group, the story sounded depressingly familiar: a big brand, a huge trove of data, and a lot of unanswered questions. Since then, the narrative around what actually happened has split into two competing versions—cautious corporate statements on ...
- The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time
January 22, 2026
Imagine visiting a webpage that looks perfectly safe. It has no malicious code, no suspicious links. Yet, within seconds, it transforms into a personalized phishing page. This isn’t merely an illusion. It’s the next frontier of web attacks where attackers use generative AI (GenAI) to build a threat that’s loaded after the victim has already visited ...
- Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware
January 22, 2026
In late December 2025, EmEditor, a highly extensible and widely used text, code, and CSV editor developed by U.S.-based Emurasoft, published a security advisory warning users that its download page had been compromised. The attackers’ objective was to distribute a compromised version of the program to unsuspecting users. EmEditor has longstanding recognition within Japanese developer communities ...