What is the zero-click ChatGPT vulnerability?

The zero-click vulnerability, tracked as TRA-2025-11, is a Zero-Click Indirect Prompt Injection in Search Context that requires no user interaction beyond asking a question. Attackers create websites about specific topics and inject prompts that only appear when SearchGPT's crawler browses them. After indexing by OpenAI's crawler, when users search for information related to these topics, ChatGPT automatically sources the compromised websites and becomes infected, leading to manipulated responses without any user clicks or interaction.

TRA-2025-06 is an Indirect Prompt Injection via Trusted Sites in Browsing Context vulnerability. Attackers hide malicious instructions in legitimate-looking online content such as blog comments or public posts on popular news sites and blogs. When ChatGPT browses that content to summarize articles for users, SearchGPT processes and follows the hidden instructions, compromising users without suspicion.

TRA-2025-22 is a One-Click Prompt Injection via URL Parameter vulnerability in ChatGPT's web interface. The vulnerability allows the ?q= URL parameter to be used to execute prompt injection on link click. Users clicking on crafted links such as chatgpt.com/?q=malicious_prompt cause ChatGPT to submit the query and execute attacker-controlled instructions.

How does the ChatGPT memory injection attack work?

The memory injection technique allows attackers to manipulate ChatGPT to update its persistent long-term memory with malicious instructions that remain active across sessions. By poisoning user memories through concealed instructions in websites, attackers create lasting threats that continue exfiltrating private information in every subsequent ChatGPT response, even across different conversations, days, and data changes. This persistence mechanism allows ongoing data leakage until the malicious memory is manually removed.

What data can be stolen through the HackedGPT vulnerabilities?

Potentially compromised data types include user memories and stored personal information, chat history and conversation content, private details deemed important from past conversations, financial information discussed in chats, authentication credentials or sensitive work information, personal identifiable information shared with ChatGPT, and any data stored in ChatGPT's long-term memory system.

What is SearchGPT in the context of these vulnerabilities?

SearchGPT is a secondary AI employed by ChatGPT for internet access through search or URL browsing. It is designed to theoretically isolate browsing from user context. However, Tenable researchers discovered that this isolation is insufficient, allowing malicious prompt injections to propagate back to ChatGPT and compromise the primary system.

How does the Safety Mechanism Bypass vulnerability work?

Attackers discovered that bing.com is whitelisted in OpenAI's url_safe endpoint, which checks URLs before displaying them to users. Since Bing search results use tracking links that redirect from bing.com/ck/a to destination websites, any indexed website has a bing.com URL that will pass the safety check. Attackers leverage these whitelisted Bing tracking links to bypass filters and exfiltrate user data one character at a time using static redirect URLs, circumventing built-in protections.

What is the Conversation Injection Technique?

The Conversation Injection Technique uses SearchGPT prompt injection to ensure its response ends with additional malicious prompts directed at ChatGPT. When ChatGPT reviews the conversational context in subsequent interactions, it processes and follows the instructions injected by SearchGPT, not realizing they originated from an attacker. This technique effectively causes ChatGPT to inject prompts into itself, creating a chain of compromised AI interactions.

How do attackers hide malicious content in ChatGPT?

Researchers discovered a markdown rendering bug in the ChatGPT website where any data appearing on the same line as a code block opening (```) after the first word is not rendered to users. This allows attackers to hide malicious instructions that remain invisible unless copied, while ChatGPT still reads and processes them. The response appears completely innocent to users despite containing malicious context that triggers data exfiltration.

Has OpenAI patched the HackedGPT vulnerabilities?

OpenAI has addressed several vulnerabilities, including improvements to the url_safe mechanism and implementation of auto-submit protections based on the sec-fetch-site header. However, at the time of publication, not all vulnerabilities had been fully resolved, and several proof-of-concept attacks remain valid in ChatGPT 5.

Can users detect when they are being attacked through HackedGPT vulnerabilities?

No, the attack is virtually undetectable to victims who trust ChatGPT's responses. The malicious content can be hidden using techniques like the markdown rendering bug, and responses appear completely innocent to users despite containing malicious context that triggers data exfiltration.

How does the zero-click attack work in practice?

In the zero-click attack, attackers create websites about specific topics and inject prompts that only appear when SearchGPT's crawler browses them, using fingerprinting techniques based on headers and user agents to serve malicious content exclusively to the AI. When users simply ask ChatGPT a question that triggers a web search on these topics, ChatGPT automatically sources the compromised websites and becomes infected without any user clicks or additional interaction required.

How can attackers create persistent threats in ChatGPT?

Attackers can create persistent threats through memory injection. By poisoning user memories through concealed instructions in websites, attackers create lasting threats that continue exfiltrating private information in every subsequent ChatGPT response, even across different conversations, days, and data changes. This persistence mechanism allows ongoing data leakage until the malicious memory is manually removed by the user.

What should ChatGPT users do to protect themselves?

While OpenAI has addressed several vulnerabilities, not all have been fully resolved. Users should be cautious about what sensitive information they share with ChatGPT, particularly in its long-term memory. Users should also be vigilant about reviewing and removing suspicious entries from ChatGPT's memory, as malicious instructions can persist across sessions until manually removed. However, since many attacks are undetectable, complete protection is challenging.

How do attackers use Bing tracking links to bypass security?

Since bing.com is whitelisted in OpenAI's url_safe endpoint and Bing search results use tracking links that redirect from bing.com/ck/a to destination websites, attackers can leverage these whitelisted Bing tracking links to bypass filters. Any indexed website has a bing.com URL that will pass the safety check, allowing attackers to exfiltrate user data one character at a time using static redirect URLs.

What is the relationship between SearchGPT and ChatGPT in these attacks?

SearchGPT is a secondary AI that ChatGPT uses for web browsing and searches, intended to isolate browsing from user context. However, the isolation is insufficient, allowing malicious prompt injections in SearchGPT to propagate back to ChatGPT and compromise the primary system. Attackers exploit this relationship through techniques like conversation injection, where SearchGPT's compromised responses inject malicious prompts into ChatGPT's conversational context.

Can attackers target specific ChatGPT users?

Yes, attackers can create targeted attacks by placing malicious content on websites about specific topics that particular users are likely to search for. Using fingerprinting techniques based on headers and user agents, attackers can serve malicious content exclusively to SearchGPT's crawler, ensuring that when specific users ask questions about those topics, they will be compromised through the zero-click attack vector.

How many vulnerabilities are included in HackedGPT?

HackedGPT includes seven vulnerabilities discovered by Tenable Research in OpenAI's ChatGPT platform. These include specific tracked vulnerabilities like TRA-2025-06, TRA-2025-11, and TRA-2025-22, as well as additional attack techniques like the Safety Mechanism Bypass, Conversation Injection, Malicious Content Hiding, and Memory Injection techniques.

Knowledge

Multiple vulnerabilities reported in ChatGPT that enable zero-click data theft

Q: What is HackedGPT?

HackedGPT is the collective name for seven vulnerabilities discovered by Tenable Research in OpenAI's ChatGPT artificial intelligence platform. These vulnerabilities represent a new class of AI security threats that exploit weaknesses in how large language models process external data and manage user information, potentially allowing attackers to steal sensitive personal information from users without their knowledge or interaction.

Q: Which ChatGPT versions are affected by HackedGPT vulnerabilities?

The HackedGPT flaws affect both ChatGPT 4o and the latest GPT-5 model, potentially exposing hundreds of millions of users who interact with ChatGPT on a daily basis. At the time of publication, several proof-of-concept attacks remain valid in ChatGPT 5.

published: Nov. 6, 2025

Take action: If you use any LLM, be aware that it's inherently vulnerable to all kinds of prompt injection. Ideally, avoid sharing ANYTHING sensitive ith them, and regularly review and delete your LLM memory/chats to remove any potentially malicious instructions attackers may have injected.

Learn More

Tenable Research is repoting seven vulnerabilities in OpenAI's ChatGPT artificial intelligence platform that could allow attackers to steal sensitive personal information from users without their knowledge or interaction. The vulnerabilities are collectively dubbed "HackedGPT," a new class of AI security threats that exploit weaknesses in how large language models process external data and manage user information.

The flaws affect both ChatGPT 4o and the latest GPT-5 model, potentially exposing hundreds of millions of users who interact with ChatGPT on a daily basis. There is a zero-click attack vector, which enables attackers to compromise users simply by having them ask an innocent question that triggers a web search.

ChatGPT's memory feature, known as the "bio tool," is enabled by default and stores potentially sensitive user information across conversations, including private details from past interactions. The platform also utilizes a "web tool" for internet access through search or URL browsing, employing a secondary AI called SearchGPT that theoretically isolates browsing from user context.

Tenable researchers discovered that this isolation is insufficient, allowing malicious prompt injections to propagate back to ChatGPT and compromise the primary system. The attack is virtually undetectable to victims who trust ChatGPT's responses.

Discovered vulnerabilities and attack techniques:

Indirect Prompt Injection via Trusted Sites in Browsing Context (tracked as TRA-2025-06): Attackers hide malicious instructions in legitimate-looking online content such as blog comments or public posts on popular news sites and blogs. When ChatGPT browses that content to summarize articles for users, SearchGPT processes and follows the hidden instructions, compromising users without suspicion.
Zero-Click Indirect Prompt Injection in Search Context (tracked as TRA-2025-11): Vulnerability that requires no user interaction beyond asking a question. Attackers create websites about specific topics and inject prompts that only appear when SearchGPT's crawler browses them, using fingerprinting techniques based on headers and user agents to serve malicious content exclusively to the AI. After indexing by OpenAI's crawler, when users search for information related to these topics, ChatGPT automatically sources the compromised websites and becomes infected, leading to manipulated responses without any user clicks or interaction.
One-Click Prompt Injection via URL Parameter (tracked as TRA-2025-22): A vulnerability in ChatGPT's web interface where the ?q= URL parameter can be used to execute prompt injection on link click. Users clicking on crafted links (e.g., chatgpt.com/?q=malicious_prompt) cause ChatGPT to submit the query and execute attacker-controlled instructions.
Safety Mechanism Bypass Vulnerability: Attackers discovered that bing.com is whitelisted in OpenAI's url_safe endpoint, which checks URLs before displaying them to users. Since Bing search results use tracking links that redirect from bing.com/ck/a to destination websites, any indexed website has a bing.com URL that will pass the safety check. Attackers leverage these whitelisted Bing tracking links to bypass filters and exfiltrate user data one character at a time using static redirect URLs, circumventing built-in protections designed to prevent malicious URLs from reaching users.
Conversation Injection Technique: Attackers use SearchGPT prompt injection to ensure its response ends with additional malicious prompts directed at ChatGPT. When ChatGPT reviews the conversational context in subsequent interactions, it processes and follows the instructions injected by SearchGPT, not realizing they originated from an attacker. This technique effectively causes ChatGPT to inject prompts into itself, creating a chain of compromised AI interactions.
Malicious Content Hiding Technique: Researchers discovered a markdown rendering bug in the ChatGPT website where any data appearing on the same line as a code block opening (```) after the first word is not rendered to users. This allows attackers to hide malicious instructions that remain invisible unless copied, while ChatGPT still reads and processes them. The response appears completely innocent to users despite containing malicious context that triggers data exfiltration.
Memory Injection Technique: Attackers can manipulate ChatGPT to update its persistent long-term memory with malicious instructions that remain active across sessions. By poisoning user memories through concealed instructions in websites, attackers create lasting threats that continue exfiltrating private information in every subsequent ChatGPT response, even across different conversations, days, and data changes. This persistence mechanism allows ongoing data leakage until the malicious memory is manually removed.

Potentially compromised data types include:

User memories and stored personal information
Chat history and conversation content
Private details deemed important from past conversations
Financial information discussed in chats
Authentication credentials or sensitive work information
Personal identifiable information shared with ChatGPT
Any data stored in ChatGPT's long-term memory system

Tenable researchers demonstrated multiple proof-of-concept attacks showing how these vulnerabilities can be chained together. In one scenario, attackers inject malicious prompts in comment sections on popular blogs, and when users ask ChatGPT to summarize the content, SearchGPT browses to the post, gets compromised, and either directs users to phishing sites or begins exfiltrating data through subsequent interactions. Another proof-of-concept showed persistent memory injection where ChatGPT is manipulated into adding a memory instructing it to exfiltrate private information with every response, creating a continuous data leak that persists across all future conversations until the memory is identified and removed.

Tenable Research disclosed all vulnerabilities to OpenAI and worked directly with them to remediate some of the issues. OpenAI has addressed several vulnerabilities, including improvements to the url_safe mechanism and implementation of auto-submit protections based on the sec-fetch-site header.

At the time of publication, not all vulnerabilities had been fully resolved, and several proof-of-concept attacks remain valid in ChatGPT 5.

Prompt injection is acknowledged as a fundamental issue with how large language models work, and unfortunately, it will probably not be fixed systematically in the near future. According to Moshe Bernstein, Senior Research Engineer at Tenable, "Individually, these flaws seem small but together they form a complete attack chain, from injection and evasion to data theft and persistence. It shows that AI systems aren't just potential targets; they can be turned into attack tools that silently harvest information from everyday chats or browsing."

Multiple vulnerabilities reported in ChatGPT that enable zero-click data theft

Read More
State of (in)security - Week 5, 2025
State of (in)security - Week 8, 2026
State of (in)security - Week 2, 2024
State of (in)security - Week 38, 2024
Linux bootloader shim reported to carry critical vulnerability