White-hat hacker Johann Rehberger recently disclosed a shocking security vulnerability, revealing that ChatGPT can be exploited by hackers as spyware to continuously steal user data. Rehberger named this attack method "SpAIware," primarily targeting the new feature of the macOS version of the ChatGPT application—long-term memory.
This vulnerability exploits the persistent memory feature recently introduced by ChatGPT. Through carefully crafted prompt injections, hackers can implant malicious commands in ChatGPT's long-term memory, causing it to transmit user conversation content to a remote server. More concerning is that this attack does not even require direct access to the user's account and can be achieved through payloads encoded in images or websites.
Image source note: The image was generated by AI, and the image authorization service provider is Midjourney
Although OpenAI initially responded indifferently to Rehberger's report, the development team finally took action after he provided proof of concept. Currently, OpenAI has released partial fixes that prevent ChatGPT from sending data to remote servers. However, the AI can still accept prompts from untrusted sources, meaning hackers can still inject malicious prompts into long-term memory.
Rehberger emphasizes that this attack is nearly invisible to users and has persistence. Even if users start new conversations, the implanted malicious commands will continue to steal data. Currently, this vulnerability has only been confirmed in the macOS application version of ChatGPT, with the web version unaffected.
To guard against potential risks, users should be cautious about using ChatGPT to scan unknown websites or images. It is also recommended to regularly check the application's memory tools and delete any suspicious entries. This incident once again reminds us that while enjoying the convenience of AI, "TrustNoAI" (do not trust AI) may be a guideline we should all keep in mind.
