7 ChatGPT Flaws Exposed: ‘Zero-Click’ Injection Steals Data, Bypasses Security
Tenable Research has identified seven new vulnerabilities and exploitation techniques in ChatGPT that allow attackers to extract private user data, bypass security mechanisms, and persist access across sessions. These findings expose a series of flaws linked to indirect prompt injections, URL validation bypasses, and methods for coercing the model into long-term data leakage. According to Tenable, most of the proof-of-concept demonstrations were successfully executed on current GPT-5 implementations as well as earlier versions, with attack scenarios encompassing even the simplest user interactions—such as a casual request to “summarize this article” or a basic search query.
At the heart of these exploits lies a fundamental weakness in how language models process input content—the phenomenon known as prompt injection. Malicious actors embed hidden instructions within data that the model ingests while interacting with webpages or indexed content, causing the LLM to deviate from its intended purpose and execute foreign commands. Tenable details seven distinct techniques and vulnerabilities: Indirect Injection via Browsing Context, Zero-Click Injection through Search Indexing, Query Parameter Exploit via “q” URLs, url_safe Bypass, Conversation Injection, Hidden Markdown Payloads, and Memory Injection. Each represents both a standalone threat and a component of broader, multi-stage compromise scenarios.
The first vulnerability allows an attacker to plant hidden instructions within comment sections of trusted websites. When a user asks the model to summarize an article, ChatGPT fetches the page and inadvertently processes the malicious comment, transforming a benign summary task into an instruction leak.
The second technique, dubbed “zero-click”, demonstrates that it is enough for a malicious page to be indexed by search engines. When a user makes a routine query, the LLM may retrieve the poisoned content and absorb the injected commands—without any direct interaction from the victim. Researchers created targeted websites that displayed harmful prompts only to search subsystems, achieving successful proofs of concept under realistic conditions.
The third attack vector exploits query substitution via the “q” parameter in URLs, which OpenAI’s systems interpret as pre-formatted prompts. A simple click on such a crafted link effectively converts the user into an injection victim, as the parameter is automatically passed into the model’s query.
The fourth method involves bypassing url_safe validation. Because the domain bing.com is whitelisted, Bing-wrapped tracking links were treated as secure and rendered in full. Tenable demonstrated that this loophole could be weaponized to exfiltrate arbitrary strings character by character through sequences of seemingly “safe” links embedded in search results.
The fifth exploit, known as Conversation Injection, manipulates the interaction between subsystems—specifically when a SearchGPT response embeds an instruction meant for the main model. As ChatGPT parses the conversation history, it misinterprets this embedded command as part of the context and obediently executes it, effectively turning the lightweight browsing tool into an implicit command channel for the primary agent.
The sixth technique leverages a markdown rendering flaw: any text placed on the same line as a code-block marker remains invisible to users but fully readable to the model. Tenable demonstrated how this hidden segment could carry a concealed instruction, embedded within an innocent-looking response, silently guiding the model toward unintended actions.
The seventh and most dangerous technique is Memory Injection. Researchers showed that by carefully crafting SearchGPT responses, attackers could prompt the core system to update its biographical memory, embedding malicious directives that persist across sessions—creating a durable channel for ongoing data leakage and behavioral manipulation.
Combining these techniques enabled several full attack scenarios: phishing campaigns where malicious links appeared in generated summaries; poisoned blog comments that triggered recurring compromise; indexed “zero-click” sites capable of mass infection; and long-term memory infiltration, in which a victim’s data was continuously leaked through future interactions.
Tenable shared its findings with OpenAI’s development team, collaborating on partial mitigations. The company references three associated security advisories outlining critical vectors and proposed countermeasures. However, Tenable stresses that prompt injection is a structural weakness of LLM architectures, one that will require deep engineering reforms, stronger content-source validation, and a redefinition of trust logic for indexed resources.
Practical recommendations include rigorous filtering of externally sourced content, enhanced url_safe logic to account for redirects, additional validation of any memory updates, and greater transparency in rendering external fragments to users. Organizations are advised to restrict automated browsing features, train staff to scrutinize suspicious links and AI-generated summaries, and treat model outputs as assistive insights rather than inherently trustworthy information.
Ultimately, these findings reveal how distributed AI components interact across trust boundaries, and how attackers can weaponize those intersections. Tenable emphasizes the urgent need for a systemic, collaborative approach to LLM security, uniting vendors, researchers, and the wider community to minimize emerging risks as language models continue to proliferate across the digital landscape.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
