Regular visitors of UWU.blog have probably seen this post where I explain how vulnerable ChatGPT Android apps can be exploited to provide free ChatGPT API access to anyone with basic Python skills. As I mentioned, I informed the app developers of the issue, but some of the developers seemingly ignored my report. This had me thinking: if they ignore such a serious problem, they probably don't care about security all that much. And yeah... I was correct. The app has more holes in it than Swiss cheese.
The first thing that I tried worked. I tried to intentionally induce an error on one of the apps (which I will not name) by removing a few characters from the UUID in the request, and yeah... I found a bit of a problem. The app sends a debug message that includes the admin AWS credentials, and I confirmed that it outputs this for every error response.
{ "error": { "code": 400, "message": "Bad Request", "details": "Invalid parameters were provided.", "trace": [ "at validateParameters (validation.js:30:13)", "at UserService.getUser (userService.js:87:16)", "at processRequest (requestHandler.js:45:10)", "at runMicrotasks ([REDACTED])", "at processTicksAndRejections (internal/process/task_queues.js:93:5)", "at AWSS3Service.connect (awsService.js:50:20, awsAccessID='[REDACTED]', awsAccessKey='[REDACTED]')", "at AWSS3Service.uploadFile (awsService.js:75:18)", "at main (app.js:105:7)" ] }}I removed the irrelevant parts, but as you can see, the access credentials are in full view.
Like, I'm no web dev, but sending your admin AWS credentials to every one of your ~100k users every time they encounter an error seems like a bit of a bad practice... So I again emailed the devs about this problem. I presume that this happened because a dev forgot to remove the detailed debug info in the production release.
This whole saga of the ChatGPT apps' vulnerabilities just keeps giving us more reasons to be wary. It's pretty clear that if developers aren't jumping to fix such glaring security holes, they might not be taking their responsibilities seriously. And honestly, it's not just about one or two apps—it's about the bigger picture of trust and security in the tech we use every day.
So, what can we do? Keep our eyes peeled, stay informed, and definitely think twice before downloading something sketchy. I'll keep digging and keep you posted if anything else comes up—because this? This is a can of worms that's just getting opened.
Stay safe and stay skeptical!
Disclaimer:
This post is for educational purposes only and does not condone illegal activities. The author and publisher are not responsible for any actions taken based on this information. Use at your own risk.