ChatGPT: A New Weapon for Cybercriminals ?

© Shutterstock/Selman GEDIK

ChatGPT can be very convenient in everyday life: organizing a road trip, generating cooking recipes, text summaries, or more recently assigning it tasks to organize your daily life. Unfortunately, we also knew that it can be used for much less honorable purposes and serve as a real ally to hackers.

A certain Benjamin Flesch, on his GitHub page, has just reported his analyses of the internal workings of ChatGPT. This contains a gaping vulnerability, which can be exploited to increase the power of denial-of-service attacks(DDoS attacks). A cyberattack that involves creating a form of digital traffic jam by overloading a system with an abnormally high volume of requests, which blocks access to a website, server or application.

ChatGPT's API: A Double-Edged Sword

The heart of the problem lies in ChatGPT's link management system. The application programming interface (API) has a fundamental flaw: it does not check for link duplication or the maximum number of links in a request. This technical negligence allows an attacker to exploit OpenAI's servers, hosted on Microsoft Azure, as force multipliers in a coordinated attack. A real backdoor, easily borrowed by those who know how to do it.

The attack process takes place in several stages: the attacker sends a request containing thousands of identical links to a target site. OpenAI's servers, without any control or limitation mechanism, then simultaneously trigger a multitude of connections to this same site. This amplification transforms a single malicious request into an avalanche of parallel connections, potentially overwhelming the target's infrastructure.

200% Deposit Bonus up to €3,000 180% First Deposit Bonus up to $20,000

Imagine that a cybercriminal aware of this flaw wants to disable the website of a competing company. He could do it this way: First, create a query containing thousands of links all pointing to the target website and send it to the ChatGPT API. OpenAI's servers send a huge number of requests to the site in question at the same time, which becomes overloaded with traffic and unavailable.

Who is responsible for this fiasco ?

Faced with this discovery in January 2025, computer security experts deployed an arsenal of means to alert those responsible. Official reporting channels – bug bounty platforms, GitHub repositories, support and security teams – were all mobilized. The answer? A wall of automatons linking to FAQ pages and files that have been filed away.

This absurd situation has persisted since the initial discovery. Attempts at communication, whether they target OpenAI, Microsoft or even CloudFlare, which manages the gateway infrastructure, are met with a rather scandalous administrative inertia. Indeed, reports are either ignored or treated as simple “information” without any particular gravity.

A particularly worrying silence which leaves doubts about their real priorities: innovation at all costs or the safety of their users ? The lack of social responsibility is quite flagrant on the part of the companies concerned by the affair and one wonders why there is no real reaction on their part.

• A flaw in ChatGPT allows its servers to be used to amplify DDoS attacks and saturate websites.
• This vulnerability comes from a lack of control in the management of links by the ChatGPT API.
• OpenAI, Microsoft and other stakeholders have not taken action despite repeated warnings from security experts.

📍 To not miss any Presse-citron news, follow us on Google News and WhatsApp.

[ ]