Tools / News / ChatGPT's Hidden DNS Channel Let Malicious GPTs Silently Steal Uploaded Files
Press

ChatGPT's Hidden DNS Channel Let Malicious GPTs Silently Steal Uploaded Files

· VaultTools

Check Point Research disclosed a vulnerability in ChatGPT's code execution sandbox that allowed uploaded files, conversations, and medical records to be silently exfiltrated through DNS queries. A separate flaw in OpenAI Codex enabled GitHub token theft via malicious branch names. Both were patched in February 2026.

VaultTools · April 8, 2026

Server room with blue lighting, representing cloud infrastructure and the hidden network channels through which data can be exfiltrated. Photo on Unsplash

Table of Contents


What Happened

On March 30, 2026, Check Point Research publicly disclosed a vulnerability in ChatGPT’s code execution sandbox that allowed silent exfiltration of user data, including uploaded files, conversation text, and AI-generated summaries. OpenAI’s own security documentation stated that the runtime “cannot generate direct outbound network requests.” That claim was technically correct but practically incomplete: DNS resolution remained open, and it was enough.

Check Point described the flaw as a “hidden exfiltration channel” that “a single malicious prompt could activate inside a regular ChatGPT conversation.” OpenAI confirmed it had “already identified the underlying problem internally” and deployed a fix on February 20, 2026.

Separately, BeyondTrust’s Phantom Labs disclosed a command injection vulnerability in OpenAI Codex, reported on December 16, 2025, and patched on February 5, 2026.

How the DNS Channel Worked

ChatGPT’s Data Analysis environment runs user code in an isolated Linux container. Standard HTTP and TCP connections to external hosts are blocked. However, the container still performed DNS lookups as part of normal system operations.

Check Point researchers exploited this gap by encoding stolen data into DNS-safe fragments, placing them as subdomains in queries directed at an attacker-controlled domain. On the attacker’s side, incoming DNS queries were logged and the fragments reassembled into the original payload.

The channel was bidirectional. Instructions could be sent back through DNS responses, meaning “a process running inside the container could then read those responses, reassemble the payload, and continue the exchange.” This enabled not only data theft but full remote shell access inside the container, all invisible to the user and bypassing ChatGPT’s safety filters entirely.

Proof of Concept: Medical Records Exfiltrated in Real Time

Check Point built a custom GPT disguised as a health analyzer. A test user uploaded a PDF containing laboratory results with personal identifying information. ChatGPT processed the document and assured the user that the file “was only stored in a secure internal location.” Meanwhile, the malicious GPT had already transmitted “the patient’s identifying details together with the model’s assessment” to a remote server.

The attack required no technical skill from the victim. Two delivery methods were demonstrated. In the first, a user was tricked into pasting a prompt advertised as a “productivity trick” that contained hidden exfiltration logic. In the second, a backdoored custom GPT embedded the exfiltration code in its system instructions, activating automatically during normal conversation.

The researchers emphasized four properties that made the flaw dangerous: invisibility (no warnings or approval dialogs appeared), ease of distribution (via social engineering or GPT Store listings), sensitive data exposure (medical records, financial documents, conversation history), and persistence (every subsequent message in the session was compromised once the malicious prompt was injected).

A Second Flaw: Codex GitHub Token Theft

BeyondTrust’s Phantom Labs separately identified a command injection vulnerability in OpenAI Codex. The flaw stemmed from improper input sanitization when processing GitHub branch names during cloud-based task execution. An attacker could craft a malicious branch name that injected arbitrary commands into the Codex agent’s container, retrieving the GitHub User Access Token and gaining read/write access to the victim’s entire codebase.

The vulnerability affected the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE extension. It was reported on December 16, 2025, and patched on February 5, 2026. OpenAI stated there is no evidence either flaw was exploited in the wild.

What This Means for File Processing

Both vulnerabilities share a common root: files and code were uploaded to a cloud environment where the user had no visibility into what happened after submission. ChatGPT’s sandbox was designed to be isolated, and OpenAI’s documentation said it was. The DNS channel proved otherwise.

Every file uploaded to a cloud AI service passes through infrastructure the user cannot inspect or audit. The DNS exfiltration flaw is a concrete demonstration of how sensitive documents (medical records, legal contracts, financial statements) can leave a “secure” environment through channels that were never anticipated in the threat model.

Client-side processing eliminates this attack surface entirely. When a file is processed in WebAssembly inside the browser, there is no container to escape from, no DNS resolver to abuse, and no remote server that ever receives the file. The processing logic runs in a sandbox controlled by the browser itself, with no network access of any kind. The file stays on the device because it was never sent anywhere.

For users handling sensitive documents, the question is not whether cloud providers will find and patch every side channel. It is whether the file needed to leave the device in the first place.


Sources