ZombieAgent bypasses ChatGPT URL allow list to exfiltrate data letter by letter

Researchers at Radware developed a prompt-injection technique called ZombieAgent that bypassed OpenAI’s URL restrictions and allowed data to be exfiltrated from ChatGPT one character at a time. OpenAI had previously restricted ChatGPT to open only URLs provided exactly as given and to refuse adding parameters, a change that blocked a prior attack known as ShadowLeak.

Radware’s tweak supplied a complete list of preconstructed URLs that appended a single letter or number to a base address (for example, example.com/a through example.com/z and example.com/0 through example.com/9) and instructed the agent to substitute a special token for spaces, enabling URL-based character exfiltration.

ZombieAgent worked because OpenAI did not restrict the appending of a single letter to a URL. OpenAI has since mitigated the attack by blocking ChatGPT from opening any link originating from an email unless the link appears in a well-known public index or was provided directly by the user in a chat prompt, a tweak intended to prevent agents from opening base URLs that lead to attacker-controlled domains.

Observers say this pattern of patching one exploit only to see a variation revive it is likely to continue. "Guardrails should not be considered fundamental solutions for the prompt injection problems," Pascal Geenens, VP of threat intelligence at Radware, wrote in an email. "Instead, they are a quick fix to stop a specific attack.

Key Topics

Tech, Zombieagent, Chatgpt, Openai, Radware, Shadowleak