Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity
Key Takeaways Attackers are leveraging OpenAI’s organization invitation system for a “poisoned tenant” scheme. The attack allows adversaries to harvest sensitive prompts, API...
Key Takeaways
- Attackers are leveraging OpenAI’s organization invitation system for a “poisoned tenant” scheme.
- The attack allows adversaries to harvest sensitive prompts, API activity, and potentially corporate data from users who unknowingly join fake organizations.
- Emails originate from legitimate OpenAI domains, bypassing traditional security measures.
- The vulnerability exploits a lack of robust verification during the organization joining process.
Attackers Exploit OpenAI Invitations to Harvest Sensitive Data
Cybersecurity researchers have uncovered an active “poisoned tenant” campaign exploiting OpenAI’s organization invitation functionality. This sophisticated attack enables threat actors to surreptitiously collect sensitive prompts, API usage data, and potentially confidential corporate information from unsuspecting users.
Table Of Content
The campaign, detailed in research by Push Security, involves attackers creating bogus OpenAI organizations. In one observed instance, the malicious entity mimicked a legitimate company, “Push Security Inc,” and subsequently dispatched targeted invitations to employees.
The Deceptive Nature of the Attack
A critical aspect of this scheme is the legitimacy of the invitation emails. Unlike typical phishing attempts, these messages are not spoofed. They originate directly from OpenAI’s official notification system ([email protected]) and successfully pass all standard authentication checks, appearing indistinguishable from genuine collaboration invites.
The only subtle indicator of a potential threat is a small disclaimer stating that the inviter’s domain does not align with the recipient’s corporate domain. However, this detail is easily overlooked, especially given the otherwise authentic appearance of the email and its references to real company information.
Seamless Onboarding to a Compromised Environment
The danger escalates significantly once a recipient interacts with the invitation. Researchers found that joining the attacker-controlled organization requires only a single click, with no further authentication or verification steps. Even from a fresh browser session without an existing OpenAI login, the user’s account is instantly linked to the malicious tenant.
To enhance the illusion of legitimacy, the attackers impersonated a company executive and granted all invited users “Owner” privileges, providing them with full administrative access within the fake organization. Furthermore, a credit card was added to the account, likely to remove any friction and prevent suspicion if users attempted to access paid features, as noted by Push Security.
The Long-Term Data Harvesting Objective
The primary goal of this attack is not immediate credential theft but rather sustained data harvesting. If an employee mistakenly believes the organization is legitimate and begins using it for work-related tasks, any prompts, uploaded files, or API interactions become visible to the attacker. This harvested data could include proprietary source code, internal documentation, cybersecurity research, or sensitive customer information.
This technique builds upon the “poisoned tenant” concept, first described in 2023, where attackers establish fake SaaS environments to trick users into joining. In this specific context, the attack capitalizes on the increasing integration of AI platforms into enterprise workflows. As employees rely more heavily on tools like ChatGPT for daily operations, the value of captured prompt data, which can contain highly sensitive business logic, becomes substantially higher.
Escalation Risks and Broader Trends
Push Security researchers caution that attackers could escalate their access and impact. Potential escalation vectors include sharing malicious chat interactions, injecting harmful prompts, or abusing third-party integrations linked to the compromised OpenAI environment. Such actions could lead to data exfiltration, OAuth token abuse, or lateral movement into connected services like email, cloud storage, and collaboration platforms.
This campaign is indicative of a broader trend where threat actors weaponize trusted SaaS platforms as delivery mechanisms. Recent reports from Kaspersky and Cisco Talos have highlighted similar abuses across OpenAI, GitHub, and Jira, where malicious content is embedded within platform-generated notifications. Because these messages originate from legitimate domains, they often bypass conventional security controls, making detection and defense particularly challenging.
The lack of obvious indicators, such as malicious links or spoofed domains, means traditional security solutions are often ineffective. The underlying infrastructure is entirely legitimate. Consequently, organizations must enhance their visibility into SaaS usage, meticulously monitor which external tenants employees join, and educate users that even authentic platform emails can pose significant security risks.
This incident underscores a growing security vulnerability within modern enterprises. As SaaS and AI platforms become more pervasive, their built-in collaboration features present an increasingly attractive attack surface. Without stronger safeguards, such as enforced domain verification or stricter controls on organization joining, attackers will continue to exploit these trusted systems to silently exfiltrate sensitive data.
What You Should Do
- Educate Users: Train employees to scrutinize all organization invitations, even those from legitimate platforms like OpenAI, for discrepancies in domain names or unexpected requests to join.
- Implement SaaS Monitoring: Utilize tools to gain visibility into employee SaaS usage, specifically monitoring which external organizations or tenants users are joining.
- Enforce Strict Access Controls: Where possible, configure SaaS platforms to require multi-factor authentication for joining new organizations or restrict joining to pre-approved domains.
- Review OpenAI Organization Settings: Regularly audit your OpenAI organization settings to ensure only authorized users are members and to identify any suspicious activity.
- Caution with Sensitive Data: Advise employees against inputting sensitive or proprietary company information into any AI platform unless it is a verified, company-controlled instance with appropriate security measures.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.