ChatGPT Bug Exposed User Prompts, Sensitive Data
Key Takeaways A critical vulnerability in ChatGPT’s Data Analysis environment allowed attackers to exfiltrate sensitive user data and establish remote shell access. The flaw exploited DNS...
Key Takeaways
- A critical vulnerability in ChatGPT’s Data Analysis environment allowed attackers to exfiltrate sensitive user data and establish remote shell access.
- The flaw exploited DNS tunneling to bypass outbound communication restrictions, enabling covert data transmission and command execution.
- Attackers could leverage malicious prompts or custom GPTs to initiate the exploit with minimal user interaction.
- OpenAI patched the vulnerability on February 20, 2026, addressing the DNS tunneling vector.
Users frequently input highly confidential information into AI assistants, ranging from personal health records and financial statements to proprietary code. Cybersecurity researchers at Check Point Research recently unveiled a critical vulnerability within ChatGPT’s architecture that could have allowed threat actors to surreptitiously extract this sensitive user data.
Table Of Content
The flaw exploited a hidden outbound channel within ChatGPT’s isolated code execution environment. This allowed attackers to exfiltrate chat histories, uploaded files, and AI-generated outputs without triggering any user notifications or consent prompts.
Bypassing Outbound Safeguards
OpenAI designed its Python-based Data Analysis environment as a secure sandbox, specifically implementing measures to block direct outbound HTTP requests to prevent data leakage. Furthermore, legitimate external API calls, known as GPT Actions, require explicit user consent via visible approval dialogs.
However, Check Point researchers identified a bypass mechanism that relied entirely on DNS tunneling. While conventional internet access was indeed blocked within the container environment, standard DNS resolution was still permitted. Attackers exploited this oversight by encoding sensitive user data directly into DNS subdomain labels.
Instead of merely using DNS for IP address resolution, the exploit fragmented data – such as a parsed medical diagnosis or a financial summary – into safe, manageable chunks. When the runtime performed a recursive DNS lookup, the entire resolver chain would carry this encoded data directly to an attacker-controlled external server. Crucially, because the system did not identify DNS traffic as an unauthorized external data transfer, it bypassed all user mediation and security safeguards.
Weaponizing Custom GPTs
The attack required minimal user interaction, initiating with a single malicious prompt. Threat actors could distribute these payloads across various public forums or social media platforms, often disguised as “productivity hacks” or “jailbreaks” promising to unlock premium ChatGPT functionalities.
Once a user pasted such a prompt into their chat, the ongoing conversation would seamlessly transform into a covert data-collection channel. Alternatively, attackers could embed the malicious logic directly into custom GPTs. If a user then interacted with a backdoored GPT – for instance, a simulated “personal doctor” tasked with analyzing uploaded medical PDFs – the system would secretly extract high-value identifiers and assessments.
Given that GPT developers officially lack access to individual user chat logs, this side channel offered a stealthy mechanism to harvest private workflows. When directly questioned, the AI would even confidently deny sending data externally, maintaining a complete illusion of privacy for the user.
The vulnerability’s scope extended beyond passive data theft, enabling a bidirectional communication channel between the runtime and the attacker. Threat actors could encode command fragments into DNS responses, sending raw instructions back into the isolated sandbox. A process running inside the container could then reassemble these payloads and execute them, effectively granting the attacker a remote shell within the Linux environment.
According to Check Point Research, this execution bypassed standard safety mechanisms, with commands and their results remaining invisible within the chat interface, leaving users entirely unaware of the compromise. OpenAI successfully patched the underlying issue on February 20, 2026, effectively closing the DNS tunnel. This incident, however, starkly highlights the expanding attack surface presented by modern AI assistants as they evolve into increasingly complex, multi-layered execution environments.
What You Should Do
- Be extremely cautious about pasting prompts from untrusted sources into AI assistants.
- Avoid using Custom GPTs from unverified developers, especially those promising “premium features” or “jailbreaks.”
- Regularly review the permissions and data access granted to any AI applications you use.
- Stay informed about security advisories and patches from AI vendors like OpenAI.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.