OpenAI recently announced technical problems with privacy that affected its ChatGPT service. The company took ChatGPT offline due to a bug in an open-source library that allowed some users to see titles from another active user’s chat history. Additionally, the bug caused unintentional visibility of payment-related information of 1.2% of ChatGPT Plus subscribers who were active during a specific nine-hour window. OpenAI believes the number of users whose data was revealed is extremely low.
The bug was discovered in the Redis client open-source library, redis-py. OpenAI reached out to the Redis maintainers with a patch to resolve the issue as soon as they identified the bug. The bug worked in a way that requests and responses with redis-py behave as two queues. If a request is canceled after the request is pushed onto the incoming queue but before the response popped from the outgoing queue, the connection becomes corrupted, and the next response thatβs dequeued for an unrelated request can receive data left behind in the connection. This results in an unrecoverable server error, and the user will have to try their request again. However, in some cases, the corrupted data matches the data type the requester was expecting, and so what gets returned from the cache appears valid, even if it belongs to another user.
OpenAI has taken several actions to improve their systems, including extensively testing the fix to the underlying bug, adding redundant checks to ensure the data returned by their Redis cache matches the requesting user, programatically examining logs to confirm that messages are only available to the correct user, and improving the robustness and scale of their Redis cluster to reduce the likelihood of connection errors at extreme load. OpenAI has also notified affected users that their payment information may have been exposed and apologized to the ChatGPT community, promising to work diligently to rebuild trust.
OpenAI acknowledges the significant role that open-source software, including Redis, plays in their research efforts. They are dedicated to continually supporting and contributing to the Redis community. As the investigation wraps up, supporting and informing users remains OpenAI’s top priority.