Security News > 2023 > March > A bug revealed ChatGPT users’ chat history, personal and billing data

A bug revealed ChatGPT users’ chat history, personal and billing data
2023-03-27 11:41

Not only were some ChatGPT users able to see what other users have been using the AI chatbot for, but limited personal and billing information ended up getting revealed, as well.

ChatGPT suffered an outage on March 20 and then problems with making conversation history accessible to users.

"During a nine-hour window on March 20, 2023, another ChatGPT user may have inadvertently seen your billing information when clicking on their own 'Manage Subscription' page," OpenAI notified 1.2% of the ChatGPT Plus subscribers via email.

"The billing information another user might have seen consisted of your first and last name, billing address, credit card type, credit card expiration date, and the last four digits of your credit card. The information did not include your full credit card number, and we have no evidence that any customer information was viewed by more than one other ChatGPT user."

"The library maintains a shared pool of connections between the server and the cluster, and recycles a connection to be used for another request once done. When using Asyncio, requests and responses with redis-py behave as two queues: the caller pushes a request onto the incoming queue, and will pop a response from the outgoing queue, and then return the connection to the pool. If a request is canceled after the request is pushed onto the incoming queue, but before the response popped from the outgoing queue, we see our bug: the connection thus becomes corrupted and the next response that's dequeued for an unrelated request can receive data left behind in the connection," they noted.

The bug has since been patched, and OpenAI has added checks to make sure requesting users don't get data belonging to other users.


News URL

https://www.helpnetsecurity.com/2023/03/27/chatgpt-data-leak/