Cyber researchers at Tenable have uncovered seven major vulnerabilities affecting OpenAI’s ChatGPT, exposing users to potential data theft, safety bypass, and long-term compromise through a new class of attacks targeting artificial intelligence systems.
The flaws, collectively dubbed HackedGPT, were identified during testing of OpenAI’s ChatGPT-4o, with several still present in ChatGPT-5. While OpenAI has addressed some of the issues, others remain unresolved, leaving certain exposure paths open to exploitation. According to Tenable, these weaknesses could enable attackers to secretly extract personal data — including stored chats and memory content — without user awareness.
At the heart of the discovery is a new type of AI exploit known as indirect prompt injection. This technique allows attackers to hide malicious instructions inside trusted web pages, comments, or posts. When ChatGPT interacts with that content, it unknowingly executes the embedded commands.
Tenable’s research found that such attacks can occur silently, even without user interaction. In “0-click” attacks, simply asking ChatGPT a question can trigger the exploit, while “1-click” attacks activate malicious commands through a single user click on a link.
One of the most concerning findings is a method called Persistent Memory Injection, which allows harmful instructions to be saved inside ChatGPT’s long-term memory. These malicious prompts can remain active across sessions, continuing to exfiltrate sensitive data until manually removed.
Moshe Bernstein (pictured), Senior Research Engineer at Tenable, said the discovery highlights a fundamental flaw in how large language models determine trust.
“Individually, these flaws seem small — but together they form a complete attack chain, from injection and evasion to data theft and persistence,” Bernstein said. “It shows that AI systems aren’t just potential targets; they can be turned into attack tools that silently harvest information from everyday chats or browsing.”
The seven vulnerabilities identified include:
- Indirect prompt injection via trusted sites – Malicious instructions hidden within legitimate online content.
- 0-click prompt injection – Compromise triggered automatically during browsing or search.
- 1-click prompt injection – Activation via seemingly safe links.
- Safety mechanism bypass – Exploiting trusted wrapper URLs to disguise malicious sites.
- Conversation injection – Using ChatGPT’s own browsing system to insert commands into ongoing chats.
- Malicious content hiding – Concealing harmful instructions within formatted code or markdown.
- Persistent memory injection – Inserting lasting instructions into long-term memory for ongoing data leakage.
If exploited, these vulnerabilities could enable attackers to insert hidden commands into conversations, steal information from chat histories or linked services, and manipulate responses to spread misinformation.
Tenable’s researchers disclosed the findings responsibly and warned that similar vulnerabilities could exist in other AI systems using browsing or memory features. The company recommends that AI developers isolate and sandbox those features to prevent cross-context manipulation, validate safety filters, and apply zero-trust principles to AI inputs.
For security teams, Tenable advises treating AI models as live attack surfaces. Recommended actions include:
- Monitoring AI integrations for signs of manipulation or data leakage.
- Testing defences against injection and exfiltration attempts.
- Implementing governance and data-classification controls around AI usage.
Bernstein said the findings should serve as a wake-up call for the industry. “This research isn’t just about exposing flaws — it’s about changing how we secure AI,” he said. “People and organisations alike need to assume that AI tools can be manipulated and design controls accordingly. That means governance, data safeguards, and continuous testing to make sure these systems work for us, not against us.”
As generative AI becomes embedded across enterprise and government systems, HackedGPT underscores a critical truth: AI’s potential must be matched with equally advanced security oversight.
