top of page

Account Takeover vulnerability in ChatGPT

Cybersecurity is just like a game of whack-a-mole, except the moles have PhDs in computer science and they never get tired!


Today, we will talk about a severe security vulnerability discovered in ChatGPT. The vulnerability allowed an attacker to take over any user's account with a single click, giving them access to sensitive information and the ability to perform unauthorized actions. The discovery of this vulnerability is credited to Nagli, who identified the issue and reported it to the ChatGPT team. We applaud Nagli for their contribution to improving the security of the platform.

Understanding Account Takeover

To comprehend the severity of this vulnerability and its impact, it is crucial to understand what an account takeover entails. An account takeover is a cyber attack in which an unauthorized individual gains access to a user's online account by exploiting system vulnerabilities or stealing the user's login credentials. Once an attacker has earned access, they can conduct a range of malicious activities, including but not limited to theft of personal information, fraudulent transactions, or spreading malware.

The attack uses a web cache deception vulnerability to access a victim's ChatGPT account. This vulnerability allowed us to execute a one-click attack to compromise any user's account, enabling an account takeover.

Impact of Web Cache Deception on Online Security

A web cache deception vulnerability is a type of security flaw that allows attackers to manipulate the caching mechanisms of web servers to deceive users and compromise their accounts. This type of vulnerability occurs when a website's server cache is improperly configured or implemented. An attacker can use this vulnerability to trick the server into caching a fake webpage or to manipulate the content of an existing cached webpage.

The attacker can deceive a user into submitting sensitive information, such as their login credentials or financial data, to the attacker's server. This information can then be used to perform diverse malicious activities, including account takeover, identity theft, and financial fraud.

To exploit the vulnerability in ChatGPT and take over a user's account, an attacker could create a ".css" path to the session endpoint and send the link to the victim. When the target clicks on the link, the response is cached, and the attacker can extract the victim's credentials, enabling them to gain unauthorized access to the victim's account. This severe web cache deception vulnerability could have given attackers access to sensitive user information such as names, email addresses, and access tokens, which were being retrieved from the server by OpenAI's API.

By accessing "", the attacker can obtain the account data, including name, email, ID, and most importantly, our access token. With this information, we could then create a request to "", and the server would return the same data as "/api/auth/session", regardless of whether the victim ".css" file existed on the server. This is because the server would interpret the ".css" extension as a Cascading Style Sheets (CSS) file and cache it accordingly, including the victim's session content, data, and access token.

To achieve an account takeover, the hacker exploited a web cache deception vulnerability in ChatGPT. The attacker could craft a .css path to the session endpoint and send the link to the victim. When the victim opens the link, the response is cached, and the attacker can harvest the victim's credentials and take over their account.

For the exploit to work, we need to make the CF-Cache-Status response acknowledge a cached "HIT, " meaning that it cached the data and will be served to the subsequent request across the same region.

So, he first tried to fetch the resource with a file extension appended to the endpoint and see if it would throw an error or display the original response.

chat.openai[.]com/api/auth/session.css -> 400

chat.openai[.]com/api/auth/session/test.css -> 200

The API returned the account data, including the victim's access token. By navigating to the "", the hacker found the same content as "/api/auth/session" and returned the user's data, such as the access token. The server cached victim.css with the victim's session content (data and access token) as it interpreted the ".css" extension as a Cascading Style Sheets (CSS) file, and it is configured to cache Style Sheets files.

The hacker could retrieve the victim's authentication data, including the access token, by going to "". As "victim.css" was cached by the server, the hacker could easily view the victim's session data without block or hardships. With the access token, the hacker could authenticate himself and gain access to the victim's account.

Therefore, this vulnerability made performing an account takeover with just one click possible. All the attacker needed to do was wait for the victim to click on a link with a non-existent CSS and immediately obtain their access token.

To carry out an account takeover on ChatGPT, the attacker uses a simple yet effective attack flow:

  • The attacker creates a unique .css path to the /api/auth/session endpoint.

  • The attacker then distributes the link by directly sending it to the victim or making it publicly available.

  • The victim clicks on the seemingly legitimate link.

  • The attacker can now obtain the victim's JWT credentials as the response is cached.

  • The attacker can effortlessly access the victim's account and sensitive information with these credentials.

Prevention and Mitigation

Web cache deception is considered one of the most critical vulnerabilities and is relatively easy to exploit. There are numerous ways to mitigate this issue:

  • The cache server should operate based on the cache-control headers set by your application, and it should only cache the files if its HTTP caching headers allow it.

  • Cache the files based on their Content-Type header instead of solely checking the file extensions.

  • The server should return HTTP errors, such as a 404 or 302, based on the requested non-existent files.

We hope this article was informative about Account Takeover and web cache deception.



Register for instructor-led online courses today!

Check out our free programs!

Contact us with your custom pen testing needs at: or WhatsApp.


1 comentario

14 abr 2023

Nice one!

Me gusta
bottom of page