New vulnerabilities reveal how AI tools can silently leak data and compromise developer environments
OpenAI has patched two critical vulnerabilities affecting ChatGPT and its Codex platform. These flaws could have allowed attackers to exfiltrate sensitive data and steal developer credentials.
Security researchers from Check Point and BeyondTrust uncovered the issues. Although there is no evidence of active exploitation, the findings highlight serious risks in modern AI environments.
ChatGPT Data Exfiltration Vulnerability
Researchers discovered that a single malicious prompt could turn ChatGPT into a covert data exfiltration channel.
Instead of using direct network requests, the attack abused a hidden DNS-based communication path inside the AI’s Linux runtime. As a result, attackers could bypass built-in safeguards and leak:
- User conversations
- Uploaded files
- Sensitive contextual data
Because the system assumed the environment was isolated, it failed to detect this behavior as external data transfer.
How the Attack Works
Attackers could trick users into entering malicious prompts by:
- Promising premium features
- Offering performance improvements
- Embedding payloads inside custom GPTs
Once executed, the prompt encodes sensitive data into DNS requests. Therefore, it creates a stealthy exfiltration channel that remains invisible to users.
In more advanced scenarios, the same technique could even enable:
- Remote shell access
- Command execution داخل the runtime environment
Why This Is Dangerous
This vulnerability exposes a critical blind spot:
- No user interaction warning
- No consent required
- No visibility into data exfiltration
As AI tools become part of enterprise workflows, this creates a new attack surface where prompt injection can lead to data leakage without detection.
Codex Vulnerability: GitHub Token Theft
In a separate finding, researchers identified a command injection vulnerability in OpenAI Codex.
The flaw allowed attackers to inject malicious commands through the GitHub branch name parameter during task execution.
This could result in:
- Theft of GitHub access tokens
- Unauthorized access to repositories
- Read/write control over codebases
- Lateral movement across development environments
Because Codex operates with elevated privileges, exploitation could impact entire development pipelines.
How the Codex Attack Works
Attackers craft a malicious branch name containing injected commands. Then:
- Codex processes the request
- Executes the payload inside its container
- Sends sensitive data (e.g., tokens) back to the attacker
Additionally, attackers could trigger execution by referencing Codex in pull requests, making the attack scalable and stealthy.
Growing Risk: AI as an Attack Surface
These vulnerabilities highlight a major shift:
AI platforms are no longer just tools—they are execution environments.
This introduces new risks:
- Prompt injection attacks
- Hidden data exfiltration channels
- Abuse of AI agent privileges
- Supply chain risks in development workflows
Moreover, malicious browser extensions have also been found stealing chatbot conversations, further expanding the attack surface.
What Organizations Should Do
To reduce risk, organizations must:
- Implement additional security layers around AI tools
- Monitor AI interactions and outputs
- Restrict sensitive data exposure داخل AI environments
- Validate inputs used in AI workflows
- Secure developer pipelines and access tokens
Most importantly, organizations should not rely solely on built-in AI security controls.
Strategic Takeaway
These findings reinforce a critical reality:
AI systems can introduce invisible risks that traditional security tools cannot detect.
As AI becomes deeply integrated into business and development workflows, security must evolve accordingly.
Because in the AI era,
every prompt, input, and integration can become a potential attack vector.