OpenAI’s chatbot service, ChatGPT, recently suffered a data exposure incident, where users’ personal information and chat titles were accidentally made visible to other users. Upon investigation, the company traced the root cause to a Redis bug in an open-source library. In this article, we will explore the details of the incident and the Redis bug responsible for it.
The Redis Bug and Its Impact
On March 20, 2023, ChatGPT users started reporting seeing other users’ conversation histories in their accounts. The company discovered that a bug in the Redis open-source library, specifically in the redis-py client library, was responsible for this exposure. The chatbot service uses Redis to cache user information on its server, and the redis-py library interfaces with Redis from the Python server, which runs with Asyncio.
The Bug’s Technical Details
The redis-py library uses a shared pool of connections between the server and the cluster. Once a connection completes a request, it is recycled for another request. However, the bug occurs when a request is canceled after it is pushed onto the incoming queue, but before the response is popped from the outgoing queue. The connection then becomes corrupted, and the next response that is dequeued for an unrelated request can receive data left behind in the connection. In some cases, the corrupted data matches the data type the requester was expecting, resulting in valid responses, even if it belongs to another user.
The Incident and Its Impact
The company quickly addressed the Redis bug and took ChatGPT offline. Upon investigating the incident, they discovered that the bug had unintentionally exposed payment-related information of 1.2% of the ChatGPT Plus subscribers. The affected users had their first and last names, email addresses, payment addresses, the last four digits of their credit card numbers, and credit card expiration dates exposed. However, the company clarified that full credit card numbers were not disclosed at any time. They also notified the impacted users and implemented redundant checks to ensure that the data returned by their Redis cache matches the requesting user.
The ChatGPT data exposure incident highlights the importance of rigorous testing and security checks, especially when using open-source libraries. While the Redis bug responsible for this incident has been addressed, companies should remain vigilant and proactive in protecting user data.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.