ChatGPT API vulnerability could enable large-scale DDoS attacks


A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.

According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.

Read more…
Source: Silicone Angle News


Sign up for our Newsletter


Related:

  • A Ransomware Prescription for the Healthcare Industry

    January 29, 2020

    To paraphrase Mark Twain, reports of ransomware’s death have been greatly exaggerated. Ransomware attacks resumed with a vengeance last year, despite conjecture by some researchers that CPU mining would overtake ransomware as a leading threat vector. Instead, the ransomware threat is stronger than ever, impacting more than 750 healthcare providers and racking up recovery costs approaching $4 billion. Some healthcare ...

  • Security Analysis of Devices That Support SCPI and VISA Protocols

    January 28, 2020

    When a legacy protocol is connected via Ethernet, and subsequently to the internet, security issues arise. Standard Commands for Programmable Instruments (SCPI) is a legacy protocol that many advanced measurement instruments support. It can be issued via General Purpose Interface Bus (GPIB), Universal Asynchronous Receiver/Transmitter (UART), Universal Serial Bus (USB), or Ethernet. However, it is ...

  • xHunt Campaign: New Watering Hole Identified for Credential Harvesting

    January 27, 2020

    During the analysis of the xHunt campaign activities, we identified a Kuwaiti organization’s webpage used as an apparent watering hole. The webpage contained a hidden image which was observed between June and December 2019, and referenced domains associated with malicious activity conducted by the xHunt campaign operators. We believe that the same threat actors involved in ...

  • An Inside Look into Microsoft Rich Text Format and OLE Exploits

    January 24, 2020

    There has been a dramatic shift in the platforms targeted by attackers over the past few years. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. Increasing use of Microsoft Office as a ...

  • Nice Try: 501 (Ransomware) Not Implemented

    January 24, 2020

    Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple ...

  • U.S. Government Agency Targeted With Malware-Laced Emails

    January 23, 2020

    A U.S. government agency was targeted with spear phishing emails harboring several malware strains – including a never-before-seen malware downloader that researchers call “Carrotball.” The campaign, which researchers observed occurring from July to October and code-named “Fractured Statue,” involved six unique malicious document lures being sent as attachments from four different Russian email addresses to 10 ...