ChatGPT API vulnerability could enable large-scale DDoS attacks


A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.

According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.

Read more…
Source: Silicone Angle News


Sign up for our Newsletter


Related:

  • OceanLotus hackers turn to web archive files to deploy backdoors

    January 12, 2022

    The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems. The goal is to evade detection by antivirus solutions tools which are more likely to catch commonly abused document formats and stop the victim from opening them on Microsoft Office. Also tracked as APT32 ...

  • Hackers take over diplomat’s email, target Russian deputy minister

    January 12, 2022

    Hackers believed to work for the North Korean government have compromised the email account of a staff member of Russia’s Ministry of Foreign Affairs (MID) and deployed spear-phishing attacks against the country’s diplomats in other regions. One of the targets was Sergey Alexeyevich Ryabko, the deputy foreign minister for the Russian Federation, among other things responsible ...

  • Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

    January 11, 2022

    This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored ...

  • noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds

    January 11, 2022

    Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit ...

  • Millions of Routers Exposed to RCE by USB Kernel Bug

    January 11, 2022

    Millions of popular end-user routers are at risk of remote code execution (RCE) due to a high-severity flaw in the KCodes NetUSB kernel module. The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This ...

  • Make sure you’re up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out

    January 11, 2022

    Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances. The information was released today by infosec outfit Rapid7. This comes about a month after Sonicwall issued a patch for the security hole, which was discovered and privately disclosed by Rapid7’s Jake Baines to Sonicwall in October. If ...