A vulnerability in the code execution environment of OpenAI’s ChatGPT allowed for the silent exfiltration of sensitive user data. Check Point Research detailed how a malicious prompt could turn a standard conversation into a covert communication channel, bypassing intended safeguards designed to isolate the system’s Linux-based execution runtime.
Check Point said it reported the issue to OpenAI, and OpenAI told the company it had already identified the underlying problem internally and fully deployed a fix on Feb. 20.
The flaw leveraged DNS tunneling to transmit data. While OpenAI’s environment restricts direct outbound internet requests, researchers found that DNS resolution remained accessible. By encoding data—such as patient records or corporate secrets—into subdomain labels, an attacker could trigger lookups that carried information out of the “secure” container to an external server. Furthermore, this bidirectional channel enabled the establishment of a remote shell, allowing external commands to be executed within the ChatGPT environment.
The report comes as AI vendors are increasingly framing prompt injection and data exfiltration as operational security issues, not edge cases. OpenAI’s developer guidance says prompt injection can cause a model to send private data to an external destination and recommends staged workflows, tool-call logging and tighter controls over external connections.
In February, OpenAI also introduced Lockdown Mode in ChatGPT, saying the setting is designed to reduce prompt injection-based data exfiltration by restricting how ChatGPT interacts with external systems. Increasingly companies are forced to shift AI security from policy language to architecture decisions. For example, which tools are enabled, what can reach the internet and how sensitive workflows are segmented, points out an OpenAI Developers resource blog.
