ChatGPT API vulnerability could enable large-scale DDoS attacks


A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.

According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.

Read more…
Source: Silicone Angle News


Sign up for our Newsletter


Related:

  • Botnets have been silently mass-scanning the internet for unsecured ENV files

    November 21, 2020

    Drawing little attention to themselves, multiple threat actors have spent the past two-three years mass-scanning the internet for ENV files that have been accidentally uploaded and left exposed on web servers. ENV files, or environment files, are a type of configuration files that are usually used by development tools. Frameworks like Docker, Node.js, Symfony, and Django use ...

  • New Grelos Skimmer Variants Siphon Credit Card Data

    November 20, 2020

    Just as seasonal online shopping kicks into high gear, new variants of the point-of-sale Grelos skimmer malware have been identified. Variants are targeting the payment-card data of online retail shoppers on dozens of compromised websites, researchers warn. The Grelos skimmer malware has been around since 2015, and its original version is associated with what are called ...

  • IT threat evolution Q3 2020

    November 20, 2020

    IT threat evolution Q3 2020 Mobile statistics The statistics presented here draw on detection verdicts returned by Kaspersky products and received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, the third quarter saw: 1,189 797 detected malicious installers, of which 39,051 packages were related to mobile banking trojans; 6063 packages proved to be mobile ...

  • New Mount Locker Ransomware Version Targeting TurboTax Files

    November 20, 2020

    A new version of the Mount Locker crypto-ransomware strain is specifically targeting victims’ TurboTax files. As reported by Bleeping Computer, Advanced Intel’s Vitali Kremez came across a new Mount Locker sample that specifically sought out files used by the TurboTax tax preparation software. In particular, Kremez observed the sample going after files bearing the “.tax,” “.tax2009,” “.tax2013” ...

  • Weaponizing Open Source Software for Targeted Attacks

    November 20, 2020

    Trojanized open-source software is tricky to spot. This is because it takes on the façade of legitimate, non-malicious software, making it especially stealthy and useful for targeted attacks. However, a closer investigation can reveal suspicious behavior that exposes their malicious intent. How are open-source software trojanized? How can we detect them? To answer these questions, let ...

  • QBot partners with Egregor ransomware in bot-fueled attacks

    November 20, 2020

    The Qbot banking trojan has dropped the ProLock ransomware in favor of the Egregor ransomware who burst into activity in September. Qbot, otherwise known as QakBot or QuakBot, is Windows malware that steals bank credentials, Windows domain credentials, and provides remote access to threat actors who install ransomware. Victims usually become infected with Qbot through phishing emails ...