ChatGPT crawler reflective DDoS

What happened

A researcher found that OpenAI's chatgpt.com/backend-api/attributions endpoint accepted an unbounded list of URLs in a single request and issued a separate crawler request to each, letting one HTTP POST be amplified into a flood of requests from OpenAI's Azure IP ranges against any chosen victim site. OpenAI quietly disabled the endpoint after public disclosure.

Root cause

The endpoint applied no de-duplication, count limit, or rate limiting to the caller-supplied URL list, turning the ChatGPT crawler into a reflector for amplified outbound requests.

Fix / outcome

OpenAI removed the vulnerable endpoint after the January 2025 disclosure. The researcher name is press-attributed (The Register), not stated in the advisory.

Sources