ChatGPT API vulnerability could enable large-scale DDoS attacks


A security flaw in OpenAI’s ChatGPT application programming interface could be used to initiate a distributed denial-of-service attack on websites, according to a researcher. The discovery was made by Benjamin Flesch, a security researcher in Germany, who detailed the vulnerability and how it could be exploited on GitHub.

According to Flesch, the flaw lies in the API’s handling of HTTP POST requests to the /backend-api/attributions endpoint. The endpoint allows a list of hyperlinks to be provided through the “urls” parameter. The problem arises from an absence of limits on the number of hyperlinks that can be included in a single request, so attackers can easily flood requests with urls via the API.

Read more…
Source: Silicone Angle News


Sign up for our Newsletter


Related:

  • LokiBot Trojan Spotted Hitching a Ride Inside .PNG Files

    April 5, 2019

    Spam campaign features obfuscated .zipx archive that unpacks LokiBot attack. A spam campaign pushing the info-stealing LokiBot trojan leverages a novel technique to avoid detection. According to researchers, the spam messages include malicious .zipx attachment hidden inside a .PNG file that can slip past some email security gateways. According to Trustwave SpiderLabs, that first spotted the .PNG/LokiBot ...

  • A dozen US web servers are spreading 10 malware families, Necurs link suspected

    April 4, 2019

    Researchers have uncovered over a dozen servers, unusually registered in the United States, which are hosting ten different malware families spread through phishing campaigns potentially tied to the Necurs botnet. On Thursday, researchers from Bromium said they have monitored scams connected to this infrastructure during the May 2018 to March 2019 time period. Five families of banking ...

  • This new malware is scanning the internet for systems info on valuable targets

    April 3, 2019

    A new form of malware is scanning the internet for exposed web services and default passwords in what’s thought to be a reconnaissance operation – one which might signal a larger cyberattack is to come. Researchers at AT&T Alien Labs first spotted the malware in March and have named it Xwo after its primary module name. It’s thought that Xwo ...

  • Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data

    April 2, 2019

    On March 30th, security researcher James Lee disclosed information on two zero-day vulnerabilities present in current versions of Microsoft Edge and Internet Explorer. These vulnerabilities make it possible for confidential information to be shared between websites. A flaw in the same-origin policy for these web browsers, called an Origin Validation Error (CWE-346), allows JavaScript embedded in a malicious ...

  • Mobile-First Phishing Kit Targets Verizon Customers

    April 2, 2019

    As people increasingly go mobile-first in their work and personal lives, cybercrime is keeping up: The latest is a phishing kit that specifically targets Verizon Wireless customers in the U.S. According to Jeremy Richards, a researcher at Lookout Security, the kit pushes phishing links to users via email, masquerading as messages from Verizon Customer Support. These ...

  • Google Warns of Growing Android Attack Vector: Backdoored SDKs and Pre-Installed Apps

    April 1, 2019

    Google is reporting an uptick in efforts by bad actors to plant potentially harmful applications (PHAs) on Android devices via pre-installed apps and by bundling them with system updates delivered over the air. The technique is especially troubling, Google said, because PHAs are often malicious and users have no control over what comes pre-installed on their ...