Tenable, the exposure management company, discovered seven vulnerabilities and attack techniques during testing of OpenAI’s ChatGPT-4o, several of which were later found to persist in ChatGPT-5. Collectively known as HackedGPT, these flaws expose users to privacy risks by bypassing built-in safety mechanisms. While OpenAI has remediated some of the issues identified, others had not been addressed at the time of publication, leaving certain exposure paths open. If exploited, they could allow attackers to secretly steal personal data, including stored chats and memories.

The vulnerabilities reveal a new class of AI attack called indirect prompt injection, where hidden instructions in external websites or comments can trick the model into performing unauthorised actions. These flaws affect ChatGPT’s web browsing and memory features, which process live internet data and store user information, creating opportunities for manipulation and data exposure.

Tenable researchers show that these attacks can occur silently in two ways: “0-click” attacks, where simply asking ChatGPT a question triggers the compromise, and “1-click” attacks, where clicking a malicious link activates hidden commands. Even more concerning is a technique called Persistent Memory Injection, where harmful instructions are saved in ChatGPT’s long-term memory and remain active after the user closes the app. This lets attackers plant lasting threats that can expose private information across future sessions until removed. Together, these flaws show how attackers could bypass OpenAI’s safeguards and access users’ private histories.

“HackedGPT exposes a fundamental weakness in how large language models judge what information to trust,” said Moshe Bernstein, Senior Research Engineer at Tenable. “Individually, these flaws seem small — but together they form a complete attack chain, from injection and evasion to data theft and persistence. It shows that AI systems aren’t just potential targets; they can be turned into attack tools that silently harvest information from everyday chats or browsing.”

HackedGPT: The Seven Vulnerabilities and Attack Techniques Identified by Tenable Research

1. Indirect prompt injection via trusted sites
   Attackers hide commands inside legitimate-looking online content such as blog comments or public posts. When ChatGPT browses that content, it unknowingly follows those hidden instructions. In short, ChatGPT can be tricked into doing what an attacker tells it to, just by reading a compromised page.
2. 0-click indirect prompt injection in search context
   A user doesn’t have to click or do anything special to be exposed. When ChatGPT searches the web for answers, it can encounter a page with hidden malicious code. Simply asking a question could cause the model to follow those instructions and leak private data — what researchers call a single-prompt compromise.

3. Prompt injection via 1-click

A single click can trigger an attack. Hidden commands embedded in seemingly harmless links, like https://chatgpt.com/?q={Prompt}, can make ChatGPT execute malicious actions without realising it. One click is enough to let an attacker take control of your chat.

4. Safety mechanism bypass
   ChatGPT normally validates links and blocks unsafe sites. Attackers bypass that by using trusted wrapper URLs (for example, Bing’s bing.com/ck/a?...) which hide the real destination. ChatGPT trusts the wrapper, displays the apparently safe link, and can be led to a malicious site.
5. Conversation injection
   ChatGPT uses two systems — SearchGPT for browsing and ChatGPT for conversation. Attackers can use SearchGPT to insert hidden instructions that ChatGPT later reads as part of the conversation. In effect, the AI ends up “prompt-injecting itself,” following commands the user never wrote.
6. Malicious content hiding
   A formatting bug allows attackers to conceal malicious instructions inside code or markdown text. The user sees a clean message, but ChatGPT still reads and executes the hidden content.
7. Persistent memory injection
   ChatGPT’s memory feature stores past interactions. Attackers can plant malicious instructions in that long-term memory, causing the model to repeat those commands across sessions and continuously leak private data until the memory is cleared.

Potential Impact of Exploiting HackedGPT

Hundreds of millions of people use ChatGPT daily for business, research, and personal communication. If exploited, these flaws could:

• Insert hidden commands into conversations or long-term memories.
• Steal sensitive data from chat histories or connected services such as Google Drive or Gmail.
• Exfiltrate information through browsing and web integrations.
• Manipulate responses to spread misinformation or influence users.

Tenable Research conducted its investigation under responsible disclosure practices. OpenAI has remediated some of the vulnerabilities identified, but several remain active in ChatGPT-5 or had not been addressed at the time of publication, leaving certain exposure paths open.

Tenable advises AI vendors to harden defences against prompt injection by verifying that safety mechanisms such as url_safe work as intended and by isolating browsing, search, and memory features to prevent cross-context attacks.

Recommendations for Security Teams

Tenable advises security professionals to:

• Treat AI tools as live attack surfaces, not passive assistants.
• Audit and monitor AI integrations for manipulation or data leakage.
• Investigate unusual requests or outputs that could signal prompt injection.
• Test and reinforce defences against injection and exfiltration paths.
• Establish governance and data-classification controls for AI use.

“This research isn’t just about exposing flaws — it’s about changing how we secure AI,” Bernstein added. “People and organisations alike need to assume that AI tools can be manipulated and design controls accordingly. That means governance, data safeguards, and continuous testing to make sure these systems work for us, not against us.”

The full research report is available here