|
|
|
|
And.. another OAuth vulnerability – now it's ChatGPT
|
|
4 points
by DBformore
824 days ago
|
|
|
TLDR: The state variable that ChatGPT uses in the integration with plugins, was not random.
Attackers could install a malicious plugin on a victim by sending a link that mimic the last step of the OAuth flow. The takeaway:
If your company has an OAuth, make sure the state parameter is random. That's a common mistake. https://salt.security/blog/security-flaws-within-chatgpt-extensions-allowed-access-to-accounts-on-third-party-websites-and-sensitive-data |
|
|