Security News > 2023 > March > OpenAI Reveals Redis Bug Behind ChatGPT User Data Exposure Incident

OpenAI on Friday disclosed that a bug in the Redis open source library was responsible for the exposure of other users' personal information and chat titles in the upstart's ChatGPT service earlier this week.

The glitch, which came to light on March 20, 2023, enabled certain users to view brief descriptions of other users' conversations from the chat history sidebar, prompting the company to temporarily shut down the chatbot.

"It's also possible that the first message of a newly-created conversation was visible in someone else's chat history if both users were active around the same time," the company said.

The bug, it further added, originated in the redis-py library, leading to a scenario where canceled requests could cause connections to be corrupted and return unexpected data from the database cache, in this case, information belonging to an unrelated user.

While the problem has since been addressed, OpenAI noted that the issue may have had more implications elsewhere, potentially revealing payment-related information of 1.2% of the ChatGPT Plus subscribers on March 20 between 1-10 a.m. PT. This included another active user's first and last name, email address, payment address, the last four digits of a credit card number, and credit card expiration date.

The company said it has reached out to affected users to notify them of the inadvertent leak.

News URL

https://thehackernews.com/2023/03/openai-reveals-redis-bug-behind-chatgpt.html