ChatGPT security vulnerabilities discovered by Tenable Research expose a fundamental risk: the assumption that AI tools are secure by default is dangerously wrong. Researchers identified seven distinct attack vectors in OpenAI’s flagship chatbot, including indirect prompt injections, memory manipulation, and DNS-based data exfiltration that could steal private information without users ever knowing.
Key Takeaways
- Seven ChatGPT security vulnerabilities enable attackers to exfiltrate private data from user memories and chat history without detection
- Memory injection attacks create persistent backdoors that leak data across multiple conversations via DNS tunneling
- GPT-4o and GPT-5 models vulnerable to indirect prompt injection through web pages and search results
- OpenAI patched some flaws following November 5, 2025 disclosure; separate March incident exposed chat titles and partial payment data
- Hundreds of millions of daily LLM users potentially at risk from these attack techniques
How ChatGPT security vulnerabilities enable silent data theft
The most dangerous ChatGPT security vulnerabilities work silently. Attackers use memory injection to trick ChatGPT into adding a persistent memory that exfiltrates private information in every response. Once injected, this backdoor survives across different conversations—the attacker doesn’t need to re-compromise the user each time. The technique exploits a URL-safe bypass vulnerability that hides the exfiltration in plain sight, making it invisible to users who have no way to audit what data their AI assistant is leaking.
The attack unfolds in three stages. First, an attacker injects malicious instructions into ChatGPT through one of several entry points. Second, ChatGPT adds a memory that instructs it to exfiltrate sensitive data. Third, every prompt the user sends triggers the backdoor, leaking private information without the user’s knowledge or consent. Tenable researchers confirmed this works against GPT-4o and GPT-5 models, affecting the latest versions of ChatGPT available to millions of users.
Two overlooked attack vectors: indirect prompt injection
ChatGPT security vulnerabilities extend beyond direct hacking. Attackers exploit ChatGPT’s browsing and search features to inject malicious instructions indirectly. When you ask ChatGPT to summarize a web page, attackers can hide instructions in the page’s comment section. ChatGPT reads the page, executes the hidden instructions, and compromises your session without you knowing the page was malicious.
The second vector is even more insidious: zero-click injection through search. When you ask ChatGPT a natural language question about a niche topic, the LLM queries search engines like Bing or OpenAI’s SearchGPT crawler. Attackers can index malicious pages on these engines, ensuring ChatGPT retrieves and executes their instructions automatically. No user click required. No suspicious link. Just a normal question that triggers a hidden attack.
ChatGPT security vulnerabilities and the March breach: a pattern emerges
The November discovery of ChatGPT security vulnerabilities by Tenable researchers is not an isolated incident. In March 2025, OpenAI disclosed a separate breach caused by a bug in the Redis open-source library, exposing chat titles, first messages, and partial payment information for active premium users. OpenAI acknowledged the failure bluntly: “Unfortunately, this week we fell short of that commitment” to protecting user privacy.
The March incident affected hundreds of users during a one-hour window, leaking names, email addresses, payment addresses, card type, and the last four digits of credit cards. No full card details were stolen, but the breach revealed how third-party dependencies create vulnerabilities that OpenAI cannot fully control. The company took ChatGPT offline immediately, patched the flaw the same day, and notified affected users. Yet the pattern is clear: ChatGPT security vulnerabilities emerge not from malice but from the inherent complexity of AI systems and their supply chains.
Why ChatGPT security vulnerabilities matter to hundreds of millions of users
Hundreds of millions of people use ChatGPT daily, many without understanding the security model protecting their conversations. They assume their chat history is private. They assume their memories stay confidential. They assume OpenAI’s infrastructure cannot be compromised. These assumptions are wrong. The ChatGPT security vulnerabilities discovered by Tenable researchers prove that attackers can exfiltrate sensitive data—financial information, medical details, personal secrets—without triggering any warning.
The risk scales with adoption. Every new ChatGPT user is a potential target. Every conversation containing sensitive information is exposed. Every memory stored in ChatGPT becomes a liability. OpenAI has launched a Bug Bounty Program offering rewards up to $20,000 for exceptional discoveries, but this is a reactive measure, not a preventive one. The company is asking researchers to find vulnerabilities after they exist, not building systems that prevent them from emerging in the first place.
What OpenAI patched—and what remains unpatched
OpenAI patched some ChatGPT security vulnerabilities following Tenable’s November 5, 2025 disclosure, but the scope of the fix remains unclear. The company has not published a detailed security advisory explaining which specific flaws were patched, which remain open, or which affect which models. This opacity is itself a vulnerability: users cannot make informed decisions about what data to share with ChatGPT if they don’t know which attacks are still possible.
The contrast with other AI systems is instructive but limited. Tenable’s research indicates that similar indirect prompt injection and data exfiltration techniques could affect other large language models, though the brief does not detail which competitors are vulnerable. The real lesson is not that ChatGPT is uniquely broken—it’s that the entire AI industry is shipping products without security as a default principle.
The hard truth: AI tools are not secure by default
The headline of this story is not a dramatic exaggeration—it’s a warning. Do not assume ChatGPT security vulnerabilities are rare exceptions. Do not assume OpenAI has eliminated all attack vectors. Do not assume your conversations are private just because OpenAI says they are. The company has failed to protect user privacy multiple times in 2025 alone, first with the Redis breach in March, then with the memory injection vulnerabilities exposed in November.
This is not a failure unique to OpenAI. It’s a failure endemic to the AI industry. ChatGPT security vulnerabilities exist because building secure AI systems is hard. It requires security expertise, investment in testing, and a culture that prioritizes privacy over features. OpenAI, like most AI companies, has not yet made that choice consistently.
What should users do right now?
Do not share financial information, medical details, passwords, or other sensitive data with ChatGPT. Do not assume your chat history is confidential. Do not trust ChatGPT to keep your memories private, especially if you pay for premium features. Use ChatGPT for general questions, brainstorming, and tasks that don’t require confidentiality. For sensitive work, use local tools or offline alternatives.
For organizations, the implications are more severe. If your employees are using ChatGPT to summarize proprietary documents, analyze confidential data, or draft sensitive communications, you are exposing trade secrets to attackers who exploit ChatGPT security vulnerabilities. The March Redis breach and November memory injection flaws prove that OpenAI’s infrastructure is not hardened against sophisticated attacks. Do not assume it will be in the future.
Why this matters right now
The timing of Tenable’s disclosure is critical. ChatGPT usage is accelerating globally, with hundreds of millions of daily users relying on the platform for work and personal tasks. Each new user is a potential target for attackers exploiting ChatGPT security vulnerabilities. OpenAI’s patches are incomplete and opaque. The company’s track record in 2025 shows repeated failures to protect user data. The window to change behavior—to build security into AI systems from the ground up—is closing.
Is ChatGPT safe to use for sensitive information?
No. ChatGPT security vulnerabilities demonstrated by Tenable researchers and confirmed by OpenAI’s March breach prove that the platform is not designed to protect sensitive data. Do not use ChatGPT for passwords, financial details, medical information, or trade secrets. The company has not yet made security a core principle of its product design.
What is the difference between the March Redis breach and the November memory injection flaws?
The March breach was a third-party library bug that exposed chat titles and partial payment data for a brief period. The November vulnerabilities are architectural flaws in ChatGPT itself that allow attackers to inject persistent backdoors into user accounts. The March incident was an accident; the November flaws are design gaps.
Will OpenAI’s Bug Bounty Program prevent future ChatGPT security vulnerabilities?
No. The Bug Bounty Program, launched after the March incident, is a reactive measure that rewards researchers for finding vulnerabilities after they exist. It does not prevent ChatGPT security vulnerabilities from being built into the product in the first place. OpenAI needs to invest in proactive security design, threat modeling, and red-teaming before features ship, not after attacks are discovered.
The hard truth is this: ChatGPT security vulnerabilities will continue to emerge because OpenAI, like most tech companies, treats security as a compliance checkbox rather than a core principle. Users must adjust their behavior accordingly. Do not assume AI tools are secure. Do not share sensitive data. Do not trust promises of confidentiality until the company proves it can keep them consistently.
Edited by the All Things Geek team.
Source: TechRadar


