ChatGPT API vulnerability could enable large-scale DDoS attacks


A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.

According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.

Read more…
Source: Silicone Angle News


Sign up for our Newsletter


Related:

  • Twitch source code, business data, gamer payouts leaked in massive hack

    October 6, 2021

    An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week. The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes: The entirety of twitch.tv, with commit history going back to its early beginnings Mobile, desktop and console Twitch clients Creator payout reports from 2019 Proprietary ...

  • New UEFI bootkit used to backdoor Windows devices since 2012

    October 5, 2021

    A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012. Bootkits are malicious code planted in the firmware (sometimes targeting UEFI) invisible to security software that runs within the operating system since the malware is designed to ...

  • Apache Web Server Zero-Day Exposes Sensitive Data

    October 5, 2021

    Apache Software has quickly issued a fix for a zero-day security bug in the Apache HTTP Server, which was first reported to the project last week. The vulnerability is under active exploitation in the wild, it said, and could allow attackers to access sensitive information. According to a security advisory issued on Monday, the issue (CVE-2021-41773) ...

  • Hong Kong firm becomes latest marketing company hit with REvil ransomware

    October 5, 2021

    Hong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a British cybersecurity firm monitoring the situation. Fimmick has offices in Hong Kong and across China, serving several high-profile clients like McDonalds, Coca-Cola, Shell, Asus and others. Their website is currently down and there was no response to ZDNet requests for comment. Matt ...

  • IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft

    October 5, 2021

    Three vulnerabilities in the IP video-surveillance systems created by Axis Communications could allow arbitrary code execution, among other attacks. That’s according to Nozomi Networks Labs, whose researchers examined the company’s Axis Companion Recorder, a compact network video recorder (NVR) that stores IP surveillance video coming from attached cameras (it can support up to eight at one ...

  • BlackBerry ties malware campaign targeting victims in India to Chinese cyberespionage group

    October 5, 2021

    The BlackBerry Research & Intelligence team released a new report on Tuesday linking disparate malware campaigns to Chinese cyberespionage group APT41, noting that the group has been taking advantage of Cobalt Strike activity using a bespoke Malleable C2 Profile that uses COVID-19 phishing lures to target victims in India. The team was able to link phishing ...