OpenAI’s flagship chatbot, ChatGPT, is facing fresh scrutiny after cybersecurity researchers uncovered seven serious prompt injection vulnerabilities that allow attackers to silently steal user data, hijack conversations, and poison long-term memory without the victim clicking anything.
The findings, disclosed by cybersecurity firm Tenable, highlight growing concerns about the fragility of large language models (LLMs) when exposed to web content, plugins, and autonomous browsing tools.
According to researchers Moshe Bernstein and Liv Matan, the vulnerabilities affect OpenAI’s GPT-4o and GPT-5 models and stem from the chatbot’s inability to reliably distinguish genuine user instructions from hidden malicious data embedded in webpages, comments, or URLs. By exploiting this weakness, attackers can inject invisible commands that ChatGPT will interpret as legitimate instructions, often without the user ever visiting a suspicious website.
One of the most alarming flaws is a zero click indirect prompt injection technique, in which merely asking ChatGPT to look up or summarize information about a little-known website can trigger malicious behavior. If the site has been indexed by OpenAI’s SearchGPT or external crawlers and contains embedded attacker controlled instructions, ChatGPT may execute them automatically. This opens the door to unauthorized data exfiltration, manipulated outputs, or even actions that persist across future sessions.
Another vulnerability involves memory poisoning, where hidden instructions inserted into a webpage remain in ChatGPT’s memory after the summary request. This can influence future conversations, alter the model’s behavior, or leak stored personal information. Because memory is designed to improve personalization over time, its misuse poses long-term risks for both consumers and enterprises.
Researchers also identified a safety filter bypass that exploits trusted domains. Because Bing.com is allow listed as safe, attackers can disguise malicious commands inside Bing advertising URLs (bing.com/ck/a). When rendered by ChatGPT, these links execute the concealed instructions, effectively sidestepping OpenAI’s safety mechanisms.
Other attack techniques discovered include Conversation injection, where malicious prompts placed in a webpage contaminate the chatbot’s ongoing conversational context; One click prompt injection, triggered simply by clicking a booby trapped ChatGPT link with a preloaded “q=” parameter and Markdown rendering bugs that allow attackers to hide malicious content inside code-block syntax.
Tenable said OpenAI has addressed some of the vulnerabilities, though others remain partially unresolved due to broader limitations in LLM design. “Prompt injection is a known issue with the way LLMs work, and unfortunately, it will probably not be fixed systematically in the near future,” the researchers warned.
The revelations come as the wider AI sector confronts a wave of emerging attack vectors, from PromptJacking in Anthropic’s Claude to remote injection flaws in Microsoft 365 Copilot and GitHub Copilot. Collectively, these bugs underscore the expanding attack surface of AI agents as they gain access to external tools, browsing capabilities, and user memories.
The growing risks have prompted experts to urge tighter restrictions on AI browsing, stricter content sanitisation, and careful deployment of memory features, especially in enterprise environments.
For now, researchers say attackers can still exploit subtle gaps in LLM reasoning to orchestrate silent data theft, a threat likely to persist as models become more interconnected and autonomous than ever.
