- Tenable says it found seven prompt injection flaws in ChatGPT-4o, dubbed the “HackedGPT” attack chain
- Vulnerabilities include hidden commands, memory persistence, and safety bypasses via trusted wrappers
- OpenAI fixed some issues in GPT-5; others remain, prompting calls for stronger defense
ChatGPT has a slew of security issues that could allow threat actors to insert hidden commands, steal sensitive data, and spread misinformation into the AI tool, security researchers are saying.
Recently, security experts from Tenable tested OpenAI’s ChatGPT-4o and found seven vulnerabilities which they collectively named HackedGPT. These include:
- Indirect prompt injection via trusted sites (hiding commands inside public sites which GPT can unknowingly follow when reading the content)
- 0-click indirect prompt injection in search context (GPT searches the web and finds a page with hidden malicious code. Asking questions can unknowingly force GPT to follow the instructions)
- Prompt injection via 1-click (A twist on phishing in which a user clicks on a link with hidden GPT commands)
- Safety mechanism bypass (wrapping malicious links in trusted wrappers, tricking GPT into displaying the links to the user)
- Conversation injection: (Attackers can use the SearchGPT system to insert hidden instructions that ChatGPT later reads, effectively prompt-injecting itself).
- Malicious content hiding (malicious instructions can be hidden inside code or markdown text)
- Persistent memory injection (malicious instructions can be placed in saved chats, causing the model to repeat the commands and continually leak data).
Calls for hardening defences
OpenAI, the company behind ChatGPT, has addressed some of the flaws in its GPT-5 model, but not all of them, leaving millions of people potentially at risk.
Security researchers have been warning about prompt injection attacks for quite some time now.
Google’s Gemini is apparently susceptible to a similar issue, due to being integrated with Gmail, as users can receive emails with hidden prompts (typed with a white font on a white background, for example) and if the user prompts the tool for anything regarding that email, it can read and act on the hidden prompt.
While in some cases, the tool’s developers can set up guardrails, most of the time it is up to the user to be vigilant and not fall for these tricks.
“HackedGPT exposes a fundamental weakness in how large language models judge what information to trust,” said Moshe Bernstein, Senior Research Engineer at Tenable.
“Individually, these flaws seem small – but together they form a complete attack chain, from injection and evasion to data theft and persistence. It shows that AI systems aren’t just potential targets; they can be turned into attack tools that silently harvest information from everyday chats or browsing.”
Tenable said OpenAI remediated “some of the vulnerabilities identified”, adding that “several” remain active in ChatGPT-5, without saying which ones. As a result, the company advises AI vendors to harden defences against prompt injection by verifying that safety mechanisms work as intended.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
