←back to thread

Nepenthes is a tarpit to catch AI web crawlers

(zadzmo.org)
646 points blendergeek | 3 comments | 16 Jan 25 13:57 UTC | HN request time: 0s | source
Show context
bflesch ◴[16 Jan 25 15:46 UTC] No.42726827[source]
Haha, this would be an amazing way to test the ChatGPT crawler reflective DDOS vulnerability [1] I published last week.

Basically a single HTTP Request to ChatGPT API can trigger 5000 HTTP requests by ChatGPT crawler to a website.

The vulnerability is/was thoroughly ignored by OpenAI/Microsoft/BugCrowd but I really wonder what would happen when ChatGPT crawler interacts with this tarpit several times per second. As ChatGPT crawler is using various Azure IP ranges I actually think the tarpit would crash first.

The vulnerability reporting experience with OpenAI / BugCrowd was really horrific. It's always difficult to get attention for DOS/DDOS vulnerabilities and companies always act like they are not a problem. But if their system goes dark and the CEO calls then suddenly they accept it as a security vulnerability.

I spent a week trying to reach OpenAI/Microsoft to get this fixed, but I gave up and just published the writeup.

I don't recommend you to exploit this vulnerability due to legal reasons.

[1] https://github.com/bf/security-advisories/blob/main/2025-01-...

replies(8): >>42727288 #>>42727356 #>>42727528 #>>42727530 #>>42733203 #>>42733949 #>>42738239 #>>42742714 #
1. mitjam ◴[17 Jan 25 04:03 UTC] No.42733949[source]
How can it reach localhost or is this only a placeholder for a real address?
replies(1): >>42735095 #
2. bflesch ◴[17 Jan 25 07:54 UTC] No.42735095[source]
The code in the github repo has some errors to prevent script kiddies from directly copy/pasting it.

Obviously the proof-of-concept shared with OpenAI/BugCrowd didn't have such errors.

replies(1): >>42742839 #
3. mitjam ◴[17 Jan 25 20:19 UTC] No.42742839[source]
Ah ok, thanks, that makes sense.

Btw the ChatGPT Web App (haven’t tested with the Desktop App) can find info from local/private sites with the search tool, i assume they browse with a client side function.