• pixxelkick@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    8 months ago

    Not related to the article at all mate.

    This article is about how many plugins have Bern discovered to have implemented oath in a very insecure way and simply using them can expose your sensitive info you have linked to your chatgpt account.

    IE:

    1. You connect your github account to your chatgpt account (so you can ask chatgpt questions about your private codebase)

    2. You install and use one of many other compromisable weakly implemented plugins

    3. Attacker uses the weak plugin to compromise your whole account and can now access anything you attached to your account, IE they can now access your private git repos you hooked up in step 1…

    Most of the attack vectors involve a basic (hard to notice) phish attack on weak oath urls.

    The tricky part is the urls truly are and look legit. It isn’t a fake url, it actually links to the legit page, but they added some query params (the part after the ? In the url) that compromise the way it behaves

    • catloaf@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      8 months ago

      Yeah, it’s a legit exploit.

      But it could also be mitigated by not giving your sensitive data to chatgpt.

      • ggppjj@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        8 months ago

        I think that I understand what you mean, but what you said was kinda obvious, and also not particularly useful to the overall conversation.

        I think you mean “don’t give OpenAI access to your personal data”, which I personally agree with.

        I read what you wrote as being analogous to a patient coming in to a doctor and saying “It hurts when I do this” only to have the doctor say “well, don’t do that then”.

        Considering the company’s garbage history with treating our data with any real respect, I would also recommend strongly against giving them more information about yourself or your works. I also think that the people that have decided against that advice to use these plugins should be made aware of the issue with them and that also OpenAI should fix them promptly.