Check Point Reveals Hidden ChatGPT DNS Exfiltration Flaw That Could Silently Leak Private User Data
Check Point Research has disclosed a now-patched vulnerability in ChatGPT that allowed sensitive user data to be silently exfiltrated through DNS resolution, exposing a hidden outbound path inside the platform’s Linux-based code execution runtime. The flaw is notable because it did not rely on a classic exploit chain such as remote code execution or direct network access. Instead, it abused a trusted, low-visibility system function that many defenses assumed was harmless.
According to Check Point, the issue affected the isolated code execution environment used by ChatGPT for certain tasks. That environment was designed to restrict direct outbound internet access and to require user awareness or approval before data could leave through normal external channels. But DNS lookups remained available, creating what the researchers describe as a covert outbound channel. By encoding sensitive data into subdomain labels and triggering DNS queries to an attacker-controlled domain, a malicious prompt could exfiltrate conversation content, uploaded files, and other private data without any visible warning to the user.
The technical significance of the bug is that it turned a routine infrastructure function into a stealth exfiltration mechanism. DNS is almost always allowed because applications need name resolution to function. In many environments, DNS traffic is less scrutinized than direct HTTP or API calls. That made it an ideal channel for covert leakage. Instead of sending data to a remote server in a conventional request, the proof of concept fragmented sensitive content into DNS-friendly chunks and leaked it as part of ordinary-looking queries.
Check Point says the channel was not limited to one-way data leakage. The researchers also demonstrated bidirectional DNS tunneling, meaning the same path could be used not only to send encoded data outward but also to receive attacker instructions. In practical terms, that turned the weakness into more than a privacy bug. It created the foundations for remote control inside the runtime, including the possibility of spawning a shell in the Linux environment.
The proof-of-concept scenario described by Check Point is especially concerning because it did not require the victim to knowingly upload data to an attacker. The researchers said a single malicious prompt could turn an ordinary conversation into a covert collection channel. They also described a “personal doctor” GPT example that was able to leak data from a user’s lab-report PDF and model assessment while the assistant denied that any external upload had occurred. That gap between what the user saw and what the runtime actually did is the core of the risk.
OpenAI responded by deploying a fix on February 20, 2026. Public reporting says the company told researchers it had already identified the underlying problem internally, and the patch closed the covert side channel before the details became public. There is no public evidence in the available reporting that the flaw was exploited in the wild before remediation.
The broader lesson is bigger than one bug. This case highlights a growing class of AI security issues where the model itself is not “hacked” in the traditional sense, but the surrounding runtime, sandbox, and infrastructure assumptions create exploitable behavior. Check Point’s finding suggests that securing an AI assistant is no longer just about content filters and prompt safeguards. It is also about controlling every low-level egress path, including channels like DNS that are often treated as benign background plumbing. That is an inference based on the researchers’ described attack path and OpenAI’s subsequent fix.
For enterprises, this matters because users increasingly paste extremely sensitive material into AI assistants: source code, contracts, financial records, identity documents, medical information, internal reports, and model outputs derived from all of the above. If a hidden outbound path exists inside the runtime, the blast radius can include both the direct prompt content and any uploaded or derived data the model can access during the session. That makes AI runtimes part of the data perimeter, not just productivity tools. This is an analytical conclusion based on the reported proof of concept and the common ways organizations use ChatGPT.
The ChatGPT DNS flaw also reinforces a more uncomfortable reality for defenders: infrastructure-layer channels can bypass user-facing security expectations. A system may truthfully block browser uploads, external HTTP requests, and explicit sharing actions, yet still leak data through lower-level protocols if those protocols are not tightly governed. As AI systems become more capable and more deeply integrated into enterprise workflows, those hidden control paths will matter more, not less.
Reference Links and Sources
