ChatGPT Bug Reveals Critical User Data, Including Payment Info—What Happened?

OpenAI said this incident affected about 1.2% of ChatGPT Plus subscribers.

Chatgpt
ilgmyzin on Unsplash

OpenAI released further information about the reasons it temporarily disabled ChatGPT last Monday, Mar. 20, including the possibility that the payment details of some users were compromised.

System Down

According to The Verge report, OpenAI acknowledged a caching problem as the cause of a fault in the open-source module redis-py. This allegedly exposed the last four digits of credit cards and expiry dates to certain customers, along with their first and last names, email addresses, and payment addresses. Some users may have had glimpses of others' conversation logs as well.

Previously, on Christmas Day 2015, Steam customers were sent pages containing information from other users' accounts due to a caching problem. So this is not the first time. It is ironic that OpenAI, which spends a lot of time and effort investigating the possible risks associated with its AI, fell victim to a widely-known security flaw.

The business estimates that 1.2% of ChatGPT Plus users whose accounts were active between Mar. 20 at 4:00 AM and at 1:00 PM ET were impacted by the payment breach.

OpenAI identifies two potential situations in which sensitive financial information was exposed to an unauthorized third party. During that time, users who visited the My Account > Manage Subscription page could have been exposed to the account details of another person who was also subscribed to ChatGPT Plus.

The firm also claims that certain membership confirmation emails received during the event were sent to the incorrect individual, with the last four digits of the user's credit card information included.

Company officials admit they cannot say for sure, but they believe both events took place before the system went down. OpenAI has reached out to customers who may have had their financial details compromised.

What went wrong?

Caching seems to be the linchpin in this whole occurrence.

The firm provides a detailed technical explanation in its article, but the shorter version, as per The Verge, is that OpenAI employs a program called Redis to store user data in a cache. Corrupted data for another request, which should not have occurred, might be returned if a Redis request is terminated. Most of the time, when an app receives data that it did not request, it will generate an error.

But if the two users were requesting identical data, the software would have concluded that everything was good and shown the data to the second user. For instance, if one user was trying to access their account page while the other was trying to access another user's account page.

People were viewing another individual's chat and payment histories because they were being sent cached data meant for someone else but never delivered because of a canceled request. This is also why inactive users were not impacted. People not actively using the app would not have any of their data stored locally.

What's worse is that on Mar. 20, OpenAI unexpectedly created a surge in canceled Redis queries, increasing the possibility of the vulnerability returning an unrelated cache.

Trisha Andrada
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics