Researchers are warning users to stop using the EmailGPT service due to an unpatched security issue. Exploiting the flaw potentially results in several security risks, from data exposure to system crashes and monetary losses.
Vulnerability in EmailGPT extension threatens users
Sharing the details in a recent afterResearchers from Synopsys Cybersecurity Research Center (CyRC) highlighted how a serious security flaw in EmailGPT compromises user security.
EmailGPT is an AI-powered email generating API and browser extension. Using OpenAI’s GPT, users can quickly create email drafts and responses through prompts generated from previous user communications.
As detailed, the researchers discovered numerous fast injection vulnerabilities that an adversary could exploit to take over the service logic. Consequently, the attackers can force the service to leak hardcoded system prompts and execute malicious prompts.
Regarding the impact of such exploits, the researchers mention that the users suffer financial losses due to repeated malicious prompts that an attacker can generate for the API that works on a pay-per-use model. Furthermore, an attacker can also inject malicious prompts, causing the service to leak sensitive user information or even trigger Denial of Service.
This vulnerability, identified as CVE-2024-5184was given a medium severity rating and a CVSS score of 6.5 according to CyRC advice.
No patch available yet
According to the timeline shared in the advisory, researchers first attempted to contact the EmailGPT developers and report the bug in February 2024, followed by multiple attempts to do so. However, despite their efforts, the researchers received no response from the agency regarding vulnerability fixes.
Accordingly, researchers continued disclosure after completion of the standard 90-day disclosure period.
For now, there is no viable patch or fix for the vulnerability. Considering the threats associated with possible exploitation, the researchers advise users to stop using the EmailGPT service (API and browser extension) until a fix is provided.
Let us know your thoughts in the comments.
