According to a blog post by researchers from the cybersecurity company Veriti, a critical vulnerability in ChatGPT could be used by cybercrooks to gain unauthorized access to sensitive information.

The flaw, CVE-2024-27564, could pose a risk to businesses that use the generative artificial intelligence (GenAI) application. “It allows attackers to inject malicious URLs into input parameters, forcing the application to make unintended requests on their behalf,” the post said.

These attacks could lead to data breaches, unauthorized transactions, regulatory penalties and reputational damage.

The good news is that the ChatGPT bug is officially classified as being of “medium severity” on the National Institute of Standards and Technology’s National Vulnerability Database. The bad news is that as of Thursday (March 20) CVEDetails.com updated its Exploit Prediction Scoring System score of the bug from 1.68% to a much more concerning 55.36%.

According to a Dark Reading report, more than 10,000 attempts involving the ChatGPT vulnerability were made in a single week and came from a single malicious IP address.

The Veriti post said the most common exploitation targets are U.S. financial institutions and government entities. “Banks and FinTech firms depend on AI-driven services and API integrations, making them vulnerable to SSRF (Server-Side Request Forgery) attacks that access internal resources or steal sensitive data,” the company said.

Here’s a YouTube demo video of how the attack works.

Some steps that can be taken right away to address this threat and to protect your data and systems include:

Monitoring ChatGPT usage for any suspicious activity or unauthorized access attempts.

Huddling up with IT to implement techniques that ensure only properly formatted and safe data enters your system.

Ensuring that all software and systems, including ChatGPT integrations, are up to date with the latest security patches.

Educating employees about the risks associated with GenAI technology and how to identify and report suspicious activity.

To an extent, the largest banks seem to already be aware of the general risks associated with GenAI, PYMNTS reported.