←back to thread

Nepenthes is a tarpit to catch AI web crawlers

(zadzmo.org)
646 points blendergeek | 3 comments | 16 Jan 25 13:57 UTC | HN request time: 0.894s | source
Show context
bflesch ◴[16 Jan 25 15:46 UTC] No.42726827[source]
Haha, this would be an amazing way to test the ChatGPT crawler reflective DDOS vulnerability [1] I published last week.

Basically a single HTTP Request to ChatGPT API can trigger 5000 HTTP requests by ChatGPT crawler to a website.

The vulnerability is/was thoroughly ignored by OpenAI/Microsoft/BugCrowd but I really wonder what would happen when ChatGPT crawler interacts with this tarpit several times per second. As ChatGPT crawler is using various Azure IP ranges I actually think the tarpit would crash first.

The vulnerability reporting experience with OpenAI / BugCrowd was really horrific. It's always difficult to get attention for DOS/DDOS vulnerabilities and companies always act like they are not a problem. But if their system goes dark and the CEO calls then suddenly they accept it as a security vulnerability.

I spent a week trying to reach OpenAI/Microsoft to get this fixed, but I gave up and just published the writeup.

I don't recommend you to exploit this vulnerability due to legal reasons.

[1] https://github.com/bf/security-advisories/blob/main/2025-01-...

replies(8): >>42727288 #>>42727356 #>>42727528 #>>42727530 #>>42733203 #>>42733949 #>>42738239 #>>42742714 #
hassleblad23 ◴[16 Jan 25 16:34 UTC] No.42727528[source]
I am not surprised that OpenAI is not interested if fixing this.
replies(2): >>42727750 #>>42730584 #
bflesch ◴[16 Jan 25 16:54 UTC] No.42727750[source]
Their security.txt email address replies and asks you to go on BugCrowd. BugCrowd staff is unwilling (or too incompetent) to run a bash curl command to reproduce the issue, while also refusing to forward it to OpenAI.

The support@openai.com waits an hour before answering with ChatGPT answer.

Issues raised on GitHub directly towards their engineers were not answered.

Also Microsoft CERT & Azure security team do not reply or care respond to such things (maybe due to lack of demonstrated impact).

replies(2): >>42729126 #>>42734923 #
permo-w ◴[16 Jan 25 18:39 UTC] No.42729126[source]
why try this hard for a private company that doesn't employ you?
replies(8): >>42729394 #>>42730264 #>>42730800 #>>42731345 #>>42732640 #>>42735360 #>>42736114 #>>42738383 #
netdevphoenix ◴[17 Jan 25 10:37 UTC] No.42736114[source]
I always wonder why people not working or planning to work in infosec do this. I get giving up your free time to build open source functionality used by rich for-profit companies that will just make them rich because that's the nature of open source. But literally giving your free time to help a rich company get richer that I do not get. My only explanation is that they enjoy the process. It's like people spending their free time giving information and resources when they would not do that if that person was in front of them.
replies(2): >>42736420 #>>42739331 #
1. bflesch ◴[17 Jan 25 16:08 UTC] No.42739331[source]
> rich company get richer

They have heaps of funding, but are still fundraising. I doubt they're making much money.

I do have an extensive infosec background, just left corporate security roles because it's a recipe for burnout because most won't care about software quality. Last year I've reported a security vulnerability in a very popular open source project and had to fight tooth and nail with highly-paid FAANG engineers to get it recognized + fixed.

This ChatGPT vulnerability disclosure was a quick temperature check on a product I'm using on a daily basis.

The learning for me is that their BugCrowd bug bounty is not worth to interact with. They're tarpitting vulnerability reports (most likely due to stupidity) and ask for videos and screenshots instead of understanding a single curl command. Through their unhelpful behavior they basically sent me on an organizational journey of trying to find a human at OpenAI who would care about this security vulnerability. In the end I failed to reach anyone at OpenAI, and due to sheer luck it got fixed after the exposure on HackerNews.

This is their "error culture":

1) Their security team ignored BugCrowd reports

2) Their data privacy team ignored {dsar,privacy}@openai.com reports

3) Their AI handling support@openai.com didn't understand it

4) Their colleagues at Microsoft CERT and Azure security team ignored it (or didn't care enough about OpenAI to make them look at it).

5) Their engineers on github were either too busy or didn't care to respond to two security-related github issues on their main openai repository.

6) They silently disable the route after it pop ups on HackerNews.

Technical issues:

1) Lack of security monitoring (Cloudflare, Azure)

2) Lack of security audits - this was a low hanging fruit

3) Lack of security awareness with their highly-paid engineers:

I assume it was their "AI Agent" handling requests to the vulnerable API endpoint. How else would you explain that the `urls[]` parameter is vulnerable to the most basic "ignore previous instructions" prompt injection attack that was demonstrated with ChatGPT years ago. Why is this prompt injection still working on ANY of their public interfaces? Did they seriously only implement the security controls on the main ChatGPT input textbox and not in other places? And why didn't they implement any form of rate limiting for their "AI Agent"?

I guess we'll never know :D

replies(1): >>42739617 #
2. netdevphoenix ◴[17 Jan 25 16:23 UTC] No.42739617[source]
That's really bad. But then again OpenAI was he coolest company for a year two and now it's facing multiple existential crises. Chances are that the company won't be around by 2030 or will be partially absorbed by Microsoft. My take is that GPT-5 will never come out if it ever does it will just be to mark the official downfall of the company because it will fail to live to the expectations and will drop the valuation of the company.

LLMs are truly amazing but I feel Sama has vastly oversold their potential (which he might have done based on the truly impressive progress that we have seen in the late 10s early 20s. But the tree's apple yield hasn't increased and watering more won't result in a higher yield.

replies(1): >>42741017 #
3. bflesch ◴[17 Jan 25 17:43 UTC] No.42741017[source]
I've reframed ChatGPT as a google alternative without ads and am really happy when using it this way. It's still a great product and they'll be able to monetize it with ads just like google did.

Personally it's quite disappointing because I'd have expected at least some engineer to say "it's not a bug it's a feature" or "thanks for informative vulnerability report, we'll fix it in next release".

But just ignoring it on so many avenues feels bad.

I remember when 15yrs ago I reported something to Dropbox and their founder Arash answered the e-mail and sent me a box of tshirts. Not that I want to chat with sama but it's still a startup, right?