Content
A recently discovered vulnerability in ChatGPT’s crawler could be used by attackers to launch Distributed Denial-of-Service (DDoS) attacks against any website. The problem lies in the way the ChatGPT API endpoint processes certain requests and then sends multiple requests in parallel to external websites. The underlying vulnerability has not been acknowledged or fixed by either OpenAI or Microsoft.
How does the vulnerability work?
ChatGPT uses an API to crawl websites to “learn” from them. The affected API endpoint is used by ChatGPT to retrieve information from external sources, which it references in its responses. For example, a legitimate use could be a list of links that OpenAI checks and the crawler accesses to retrieve information such as metadata or content.
The vulnerability exists because the endpoint does not implement the following protections:
- No duplicate link checking: You can submit a list that contains the same target URL multiple times with only minor modifications (e.g., different parameters or paths).
- No limit on the number of links: The API endpoint accepts lists with thousands of links without any limit.
Contact our experts and find out how your business can be protected with an automated security solution.
What happens in such an attack?
An attacker could exploit the vulnerability by submitting a list of links that all point to the same target website. This list is sent to the ChatGPT endpoint, which then automatically initiates a request to the target site for each link. Because the ChatGPT crawler runs on powerful infrastructure, such as Microsoft Azure, thousands of parallel connections to a single website can be established in a matter of seconds.
As a result, the target site is overwhelmed by the flood of requests. Such an attack can lead to a DDoS situation, where the website becomes inaccessible to normal users.
Impact and Risks
A DDoS attack can cause the following problems for affected websites and services:
- Outages: The website may be temporarily or permanently unavailable.
- Performance degradation: The speed of the website may be significantly affected.
- Reputational damage: User confidence in the website or service may be undermined by outages.
A practical example
Suppose an attacker sends a list of 5,000 links to the API endpoint. Each link looks like a new, legitimate URL, but ultimately leads to the same website. The OpenAI crawler processes this list by sending 5,000 requests to the site at the same time. The target site is suddenly confronted with so many links that it can break down.
Assessment by Benjamin Flesch
Security researcher Benjamin Flesch, who discovered the vulnerability and published his PoC (proof of concept) code on GitHub on January 10, 2025, describes the bug in an interview as a “serious quality defect” in the way the OpenAI API handles HTTP requests. According to Flesch, this is a situation where OpenAI ignores the basics of secure API architecture by neither filtering duplicate URLs nor implementing a limit on the number of links per request.
Flesch also emphasizes that this vulnerability offers enormous amplification potential for the attack: with just a single HTTP request, attackers could establish thousands of parallel connections, abusing powerful resources such as Microsoft’s Azure infrastructure to bring a target site to its knees.
Why is this problematic?
- DDoS Reflection: The attacker only needs to send a single request to OpenAI’s API, which requires few resources. The actual “work” is done by OpenAI’s crawler, which overloads the target site.
- High scalability: With the Microsoft Azure infrastructure behind the crawler, the attack surface is huge. OpenAI crawlers can send requests from different IP ranges, which makes them more difficult to defend against.
- Simplicity: No technical knowledge or advanced privileges are required. A simple HTTP request is all that is needed to trigger the process.
Conclusion
This vulnerability is a prime example of how inadequate quality assurance in software development can lead to significant security risks. Attackers could use this vulnerability to deliberately cripple websites, leaving web service operators almost powerless.
OpenAI and Microsoft have been asked to fix the vulnerability by implementing measures such as checking for duplicate links, limiting URL lists, and limiting the number of API requests that a client can make to a server in a given period of time. Until these measures are implemented, though, there is a large hole in ChatGPT’s security.
Protect your website and services from DDoS attacks. The vulnerability discovered in the ChatGPT crawler shows how quickly websites can be targeted by DDoS attacks through insecure APIs. Don’t let these threats bring your services down. Our comprehensive DDoS protection solutions detect and block malicious requests before they reach your site.
Contact us today to secure your infrastructure and ensure service availability!
Share this post
