←back to thread

Nepenthes is a tarpit to catch AI web crawlers

(zadzmo.org)
646 points blendergeek | 3 comments | 16 Jan 25 13:57 UTC | HN request time: 0s | source
Show context
bflesch ◴[16 Jan 25 15:46 UTC] No.42726827[source]
Haha, this would be an amazing way to test the ChatGPT crawler reflective DDOS vulnerability [1] I published last week.

Basically a single HTTP Request to ChatGPT API can trigger 5000 HTTP requests by ChatGPT crawler to a website.

The vulnerability is/was thoroughly ignored by OpenAI/Microsoft/BugCrowd but I really wonder what would happen when ChatGPT crawler interacts with this tarpit several times per second. As ChatGPT crawler is using various Azure IP ranges I actually think the tarpit would crash first.

The vulnerability reporting experience with OpenAI / BugCrowd was really horrific. It's always difficult to get attention for DOS/DDOS vulnerabilities and companies always act like they are not a problem. But if their system goes dark and the CEO calls then suddenly they accept it as a security vulnerability.

I spent a week trying to reach OpenAI/Microsoft to get this fixed, but I gave up and just published the writeup.

I don't recommend you to exploit this vulnerability due to legal reasons.

[1] https://github.com/bf/security-advisories/blob/main/2025-01-...

replies(8): >>42727288 #>>42727356 #>>42727528 #>>42727530 #>>42733203 #>>42733949 #>>42738239 #>>42742714 #
michaelbuckbee ◴[16 Jan 25 16:21 UTC] No.42727356[source]
What is the https://chatgpt.com/backend-api/attributions endpoint doing (or responsible for when not crushing websites).
replies(1): >>42727723 #
bflesch ◴[16 Jan 25 16:52 UTC] No.42727723[source]
When ChatGPT cites web sources in it's output to the user, it will call `backend-api/attributions` with the URL and the API will return what the website is about.

Basically it does HTTP request to fetch HTML `<title/>` tag.

They don't check length of supplied `urls[]` array and also don't check if it contains the same URL over and over again (with minor variations).

It's just bad engineering all around.

replies(2): >>42729505 #>>42730447 #
1. JohnMakin ◴[16 Jan 25 19:08 UTC] No.42729505[source]
Even if you were unwilling to change this behavior on the application layer or server side, you could add a directive in the proxy to prevent such large payloads from being accepted as an immediate mitigation step, unless they seriously need that parameter to have unlimited number of urls in it (guessing they have it set to some default like 2mb and it will break at some limit, but I am afraid to play with this too much). Somehow I doubt they need that? I don't know though.
replies(1): >>42739373 #
2. bflesch ◴[17 Jan 25 16:11 UTC] No.42739373[source]
Cloudflare is proxy in front of the API endpoint. After it became apparent that BugCrowd is tarpitting me and OpenAI didn't care to respond, I reported to Cloudflare via their bug bounty because I thought it's such a famous customer they'd forward the information.

But yeah, cloudflare did not forward the vulnerability to openai or prevent these large requests at all.

replies(1): >>42739837 #
3. JohnMakin ◴[17 Jan 25 16:33 UTC] No.42739837[source]
I mean, whatever proxy is directly in front of their backend. I don't pretend to know how it's set up, but something like nginx could nip this in the bud pretty quickly as an emergency mediation, was my point.