ChatGPT API vulnerability could enable large-scale DDoS attacks


A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.

According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.

Read more…
Source: Silicone Angle News


Sign up for our Newsletter


Related:

  • Microsoft Teams bug allowing phishing unpatched since March

    December 22, 2021

    Microsoft said it won’t fix or is delaying patches for several security flaws impacting Microsoft Teams’ link preview feature reported since March 2021. German IT security consultancy firm Positive Security’s co-founder Fabian Bräunlein discovered four vulnerabilities leading to Server-Side Request Forgery (SSRF), URL preview spoofing, IP address leak (Android), and denial of service (DoS) dubbed Message ...

  • What to Do About Log4j

    December 21, 2021

    Log4j poses some deep challenges to IT. In this article I’ll discuss some tactical measures people are already taking now and over the next week or two, and some strategic guidance for what to do after the immediate crisis abates. The Problem Log4j is a very useful tool incorporated in much Java code. There are so many ...

  • PYSA ransomware behind most double extortion attacks in November

    December 21, 2021

    Security analysts from NCC Group report that ransomware attacks in November 2021 increased over the past month, with double-extortion continuing to be a powerful tool in threat actors’ arsenal. Threat actors’ focus is also shifting to entities belonging to the government sector, which received 400% more attacks than in October. The spotlight in November was stolen by ...

  • Russian hackers made millions by stealing SEC earning reports

    December 21, 2021

    A Russian national working for a cybersecurity company has been extradited to the U.S. where he is being charged for hacking into computer networks of two U.S.-based filing agents used by multiple companies to file quarterly and annual earnings through the Securities and Exchange Commissions (SEC) system. Along with other conspirators, the individual made millions of ...

  • FBI: APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central

    December 20, 2021

    Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting ...

  • Belgian Defense Ministry confirms cyberattack through Log4j exploitation

    December 20, 2021

    The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that “quarantine measures” were quickly put in ...