Nagli (@naglinagli), a prominent security analyst and bug hunter, recently discovered a significant security issue in ChatGPT. A threat actor might quickly exploit the vulnerability and obtain complete control of any ChatGPT user’s account with a single click. As a result, allowing attackers access to sensitive data allows them to carry out unauthorised acts; this is known as “Account Take Over.” Account takeover is a clever cyber attack in which an attacker or hacker gains unauthorised access to one account by either exploiting a flaw in the system or stealing one’s login credentials.
After gaining access to a target system or device, an attacker can engage in a number of nefarious behaviours, including theft of personal information, fraudulent transactions, and virus distribution. The attacker uses a web cache deception vulnerability to get access to the victim’s ChatGPT account. This ChatGPT Account Take Over flaw allowed a remote attacker to compromise any user’s account and totally take over the account with a single click.
Take Over Bug Attack Flow with ChatGPT Account. A web cache deception vulnerability is a cunning security issue that allows attackers to fool web servers’ caching algorithms and get access to user accounts. This type of vulnerability can occur when a website’s server cache is configured or used inappropriately. Hackers can exploit the ChatGPT account and take control of vulnerability to alter cached web pages or generate bogus ones in order to deceive users.
This data might then be used to make a request to “https://chat.openai.com/api/auth/session/victim.css.” Regardless of whether the victim’s “.css” file was on the server, the server would reply with the same information as “/api/auth/session.” Because of the “.css” extension, the server would cache a CSS file and record the victim’s session content, data, and access tokens in the process.
To be successful, the CF-Cache-Status answer must confirm a cached “HIT.” This implies that the data was cached and will be served to the next request within the same region. If an attacker manipulates the Load Balancer into caching their request on a customised path, an attacker can extract sensitive data from the cached response.
When Nagli noticed the problem, he took prompt and responsible action by reporting it to the ChatGPT team. In doing so, he contributed to preventing potential harm and the sustained safety of ChatGPT users. Despite the fact that the researcher received no monetary compensation for his efforts, he stated that he is glad to have contributed to the improved security of the unique product.
Web cache deception is a serious issue that is quite simple to attack. However, there are numerous solutions to this problem, which we have listed below:- The cache server should function based on the cache-control headers of the application. Cache files only if HTTP caching headers permit it. Files should be cached based on their Content-Type header, not merely their file extension. For non-existent files, return HTTP errors such as 404 or 302.
For more such updates keep reading techinnews
