Key Findings
Check Point Research has uncovered a critical vulnerability in ChatGPT's code execution environment that allows sensitive user data to be silently exfiltrated without the user's knowledge or consent. This hidden outbound communication path bypasses the platform's advertised privacy safeguards.
Silent Exfiltration Risk
A well-crafted malicious prompt can transform an ordinary conversation into a covert exfiltration channel. This channel can leak user messages, uploaded files, and other sensitive content to an external server without any visible warning or approval.
GPT Vulnerabilities
If a GPT (customized ChatGPT version) is backdoored, it could exploit the same weakness to access and send user data to a third party without the user's awareness. The same hidden path could also be used to establish remote shell access inside the Linux runtime used for code execution, giving attackers full control over the container.
The Incident
Modern AI assistants handle some of the most sensitive data people own. Users share medical symptoms and history, ask about taxes and personal finances, and upload PDFs, contracts, lab results, and identity documents containing names, addresses, account details, and private records. The trust in these systems depends on a simple expectation: data shared in a conversation stays within the system.
ChatGPT itself presents outbound data sharing as something restricted, visible, and controlled. The platform's interface indicates that potentially sensitive data is not supposed to be sent to arbitrary third parties simply because a prompt requests it. External actions are expected to be mediated through explicit safeguards, and direct outbound network access from the code-execution environment is restricted.
However, our research revealed a path around that model. We discovered that a single malicious prompt could activate a hidden exfiltration channel inside a regular ChatGPT conversation. During a test conversation, user content summaries were silently transmitted to an external server without any warning or approval from the user.
Intended Security Measures
ChatGPT includes useful tools that can retrieve information from the internet and execute Python code. OpenAI has built safeguards around these capabilities to protect user data. For example, the web-search capability does not allow sensitive chat content to be transmitted outward through crafted query strings. The Python-based Data Analysis environment was designed to prevent internet access entirely. OpenAI describes that environment as a secure code execution runtime that cannot generate direct outbound network requests.
Additionally, OpenAI documents that so-called GPTs can send relevant parts of a user's input to external services through APIs. A GPT is a customized version of ChatGPT that can be configured with instructions, knowledge files, and external integrations. GPT “Actions” provide a legitimate way to call third-party APIs and exchange data with outside services. These Actions are useful for enterprise scenarios, such as sending a user's query to a private database or triggering a workflow in a business tool. But the vulnerability we found allows unauthorized exfiltration that bypasses these controlled channels.
This hidden outbound channel in the code execution runtime undermines the very safeguards intended to protect user data. Users assume their conversations are private, but this discovery shows that sensitive information can be stolen through carefully crafted prompts or compromised GPTs. The implications are severe for anyone using ChatGPT to discuss personal or confidential matters.
OpenAI has been notified of this vulnerability. Users are advised to remain cautious when sharing sensitive data with AI assistants and to avoid using GPTs from untrusted sources. Back to key findings.