How a Single ChatGPT Prompt Could Silently Steal Your Data — and What Check Point Research Found Inside the Runtime

Check Point Research has disclosed a vulnerability in ChatGPT that allowed sensitive user data to be exfiltrated from live conversations in silence — no warning, no approval dialog, no visible sign of transfer. The flaw exploited DNS tunnelling, repurposing the standard domain resolution layer across every networked environment to exfiltrate data from ChatGPT's supposedly isolated Linux execution runtime. OpenAI confirmed it had already identified the underlying problem internally and deployed a full fix on 20 February 2026. There is no indication the vulnerability was exploited in the wild.

The disclosure lands at a moment when enterprises are routing increasingly sensitive material through AI tools — medical records, financial data, legal documents, internal strategy. The research shows that the security assumptions underpinning AI platforms can fail simultaneously while the interface behaves entirely normally. For security leaders, that is the point that survives the patch.

Three Safeguards, One Blind Spot

ChatGPT's data analysis environment runs inside a containerised Linux runtime that OpenAI designed, with no direct outbound internet access. Conventional HTTP requests from inside the container are blocked. GPT Actions — the mechanism through which custom GPTs can legitimately pass data to third-party services — require an explicit user-facing approval step that names the destination and the data being sent. Three independent controls, in other words, stood between a user's data and an external server: network isolation, tool restrictions, and a consent layer.

DNS resolution remained available inside the container as part of normal system operation. Because DNS is classified as name-resolution infrastructure rather than a data transport, it sits outside the outbound restrictions applied to everything else. By encoding sensitive content into subdomain labels and triggering lookups for attacker-controlled hostnames, the researchers moved data across the isolation boundary through legitimate resolver infrastructure. The model had no visibility into DNS activity and did not classify it as an outbound transfer. None of the platform's safety checks fired.

The Check Point Research team described the failure as a convergence of reasonable but incomplete assumptions. "The platform assumed the environment was isolated. The model assumed it was operating entirely within ChatGPT. And users assumed their data could not leave without consent," the team wrote in its technical disclosure. The broader implication was pointed: "AI guardrails often focus on policy and intent, while attackers exploit infrastructure and behaviour."

One Prompt Was Enough

The attack required a single malicious prompt to initiate. Once placed in a conversation, every subsequent user message became a potential source of exfiltrated content. The prompt could be configured to capture raw user text, content parsed from uploaded files, or AI-generated outputs — summaries, assessments, conclusions. In many deployments, those distilled outputs carry more intelligence value than the source documents from which they were derived.

The delivery mechanism required no technical sophistication on the attacker's part. A large volume of productivity-oriented content circulates online — forum posts, blog articles, social media threads promoting ready-made ChatGPT prompts as shortcuts to better results. Users routinely copy and paste such prompts without treating them as a security consideration. A malicious prompt packaged as a productivity tip would not appear anomalous, and the prevailing expectation that AI assistants cannot leak conversation data through an ordinary prompt would reinforce that blind spot.

The risk was compounded when the same technique was embedded inside a custom GPT. In that configuration, the attacker no longer depends on a target copying a prompt from elsewhere — the malicious logic sits in the GPT's system instructions and activates the moment a user opens it. To demonstrate the real-world stakes, the researchers built a proof-of-concept GPT configured as a personal doctor.

A user uploaded a PDF of laboratory results, described symptoms and asked for help interpreting the findings. The interaction appeared entirely routine. When asked directly whether any data had left the platform, the assistant replied that none had. "AI can appear trustworthy while doing something very different under the hood," the Check Point Research team noted. At that moment, the attacker's server had already received the patient's identity and the model's full medical assessment.

When the Risk Became Infrastructural

The DNS channel not only moved data outward. The same bidirectional path could carry commands into the container and return results to an attacker-controlled server — effectively establishing a remote shell inside the Linux runtime that ChatGPT uses for code execution. Commands executed through this channel bypassed the model's safety mechanisms entirely: they did not appear in the conversation, were not filtered, and returned results without any mediation. The risk at that point was no longer a privacy incident. It was a platform-level security breach.

That finding reframes how enterprises need to assess AI tools. Security teams have historically evaluated AI primarily through a data-governance lens — what information is processed, where it is stored, and whether it feeds model training. The Check Point research makes the case that modern AI assistants must be assessed as full computing environments: they execute code, read files, make network calls and, in some configurations, expose a shell-level attack surface that operates entirely outside the model's own safety layer.

The Fix Does Not Close the Conversation

OpenAI patched the specific DNS-based exfiltration path on 20 February 2026. But prompt injection — embedding instructions inside content that the model processes — remains a viable attack vector regardless of the exfiltration channel. Phishing campaigns and malicious file uploads can still place injected prompts into a session. And as AI platforms extend their toolsets, each new capability adds to the attack surface and potentially introduces infrastructure behaviours that existing security controls were not designed to inspect.

The Check Point Research team drew a conclusion that echoes an earlier generation of enterprise security debates: "Just as organisations learned not to blindly trust cloud providers, the same logic now applies to AI vendors. Native security does not equal sufficient security. AI requires an independent security layer on top." The researchers were direct about the structural reason: "AI companies are exceptional at building AI. They are not, by default, security-first organisations."

For regulated industries, the implications carry additional weight. A data exfiltration event originating from an AI tool does not produce a softer liability profile than one from a conventional application. Healthcare providers, financial institutions and government agencies that route protected data through AI assistants need to treat those tools as regulated infrastructure — not as productivity applications that sit outside the existing security perimeter. CISOs, the researchers argued, cannot afford to treat AI risk as someone else's problem.

The broader challenge, as the Check Point Research team put it, is one of pace: "AI platforms are evolving faster than most organisations can assess their risk. Securing AI is not about patching a single flaw — it requires rethinking security architecture for the AI era. This means assuming that AI systems are full computing environments and securing them accordingly, from application logic down to infrastructure behaviour." The fact that independent researchers surfaced this vulnerability before it was exploited is itself a data point for security leaders weighing whether vendor assurances alone are adequate oversight — or whether independent validation of AI deployments has become a baseline operational requirement.