WingNews logo WingNews
top | item 44577019

(no title)

requilence | 7 months ago

Reported a flaw to OpenAI that lets users peek at others' chat responses. Got an auto-reply on May 29th, radio silence since. Issue remains unpatched :( Avoided their bug bounty due to permanent NDAs preventing disclosure even after fixes. Following standard 45-day disclosure window—users should avoid sharing sensitive data until this is resolved.

discuss

order

jonrouach|7 months ago

you're sure it's not their "feature" that calling the api with empty string returns random hallucinations?

https://jarbon.medium.com/gpt-prompt-bug-94322a96c574

requilence|7 months ago

No, definitely not the empty string hallucination bug. These are clearly real user conversations. They start like proper replies to requests, sometimes reference the original question, and appear in different languages.

999900000999|7 months ago

Users should always avoid sharing sensitive data.

A lot of AI products straight up have plan text logs available for everyone at the company to view.

pyman|7 months ago

It's not just about sensitive data like passwords, contracts, or IP. It's also about the personal conversations people have with ChatGPT. Some are depressed, some are dealing with bullying, others are trying to figure out how to come out to their parents. For them, this isn't just sensitive, it's life-changing if it gets leaked. It's like Meta leaking their WhatsApp messages.

I really hope they fix this bug and start taking security more seriously. Trust is everything.

ameliaquining|7 months ago

Which ones? Do you just mean tiny startups and side projects and the like or is this a problem that major model providers have?

poniko|7 months ago

The NDA part feels really murky.

tptacek|7 months ago

It's pretty standard for bounty programs. If you don't like it, which is reasonable, do what this researcher did and just post independently.

com2kid|7 months ago

I see other users conversations on my Gemini dashboard, not sure who to even complain to.

Software quality is... Minimal now days.

fcpguru|7 months ago

well done, sounds very reasonable and following the rules.

requilence|7 months ago

Appreciate it. Just trying to do the right thing by both OpenAI and users here.

maxlin|7 months ago

Permanent NDA's? Oof. It's like their plan is to just try to force the lid down till they reach ASI or something lol

tptacek|7 months ago

Again: NDAs are bog standard bounty terms.