The DNS Trap: How a “Hidden” Path Allowed ChatGPT to Silently Leak Your Private Data
Do Son 
In the world of AI, trust is built on a simple, unspoken agreement: what stays in the chat, stays in the system. Users routinely share their most intimate details with assistantsβfrom medical histories and tax debts to sensitive legal contracts. However, an investigation by Check Point Research has shattered that illusion, revealing a hidden outbound path that allowed sensitive data to be “silently exfiltrated without the user’s knowledge or approval”.
ChatGPT utilizes a specialized Linux-based environment for complex tasks like data analysis and code execution. This environment is designed as a “secure code execution runtime that cannot generate direct outbound network requests”. While OpenAI has built-in safeguards to block conventional internet access, researchers discovered that a critical infrastructure layer remained open: DNS resolution.
By using a technique known as DNS Tunneling, an attacker could bypass the isolation boundary.
- Encoding Data: Sensitive information is broken into fragments and encoded into subdomain labels (e.g., encoded-data.attacker-site.com).
- The Resolver Chain: Because DNS is a legitimate part of the environment’s operation, these queries travel through the normal infrastructure until they reach the attacker’s server.
- Bidirectional Control: The tunnel also works in reverse, allowing an attacker to “establish a remote shell inside the Linux environment” and send commands back into the container.
The beautyβand the dangerβof this attack is how it hides within ordinary user behavior. Check Point demonstrated the vulnerability through a “personal doctor” GPT.
In a proof-of-concept, a user uploaded a PDF of laboratory results containing their full name and symptoms. While the assistant “answered confidently that it had not” uploaded the data anywhere online, the attacker’s server was simultaneously receiving the patient’s identity and the model’s medical assessment.
“Crucially, because the model operated under the assumption that this environment could not send data outward directly, it did not recognize that behavior as an external data transfer requiring resistance or user mediation”.
Users didn’t even need to use a custom GPT to be at risk. The internet is awash with “productivity prompts” and “hacks”. An attacker could distribute a malicious prompt disguised as a way to “unlock premium capabilities for free” or enable “Pro-level behavior” on a basic account.
Copying and pasting such a prompt into a routine conversation would turn it into a “covert collection channel”. From that moment on, every message sent by the userβor summary generated by the AIβcould be silently leaked to an external server without a single warning or approval request.
Upon receiving the report from Check Point, OpenAI moved quickly to close the side channel. The company confirmed it had identified the underlying issue internally, and a full fix was deployed on February 20, 2026.
While this specific hole has been plugged, the researchers warn that as AI assistants evolve to automate more complex tasks, their attack surface will continue to grow. “Protecting these environments requires careful control over every possible outbound communication path, including infrastructure layers that users never see,” the report concludes.
Even the most helpful AI assistants are real execution environments, and their safety depends on the security of every layer of the platform.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
