Tyler Jespersen

@toughyear @kmcquade3 @OpenAI @btphantomlabs Hey there! The attack vector is command injection in the branch name whenever you make a codex task (HTTP request). More of a Privesc. So 3 options: ChatGPT -> Github GitHub rename branch name -> users who use in codex ChatGPT -> GitHub -> Rename branch name -> comp other users

@kmcquade3 @OpenAI @crew7sec @btphantomlabs isn't a victim here required to run codex on an attacker controlled github repo with a sus branch name for this to work? or am i missing something here.

We found a critical vulnerability in @OpenAI Codex affecting all Codex users, allowing exfil of a victim’s GitHub tokens to our C2 server. This granted lateral movement and R/W access to a victim’s entire code base 😈 This was a crazy one by @crew7sec at @btphantomlabs

@bygregorr @kmcquade3 @OpenAI @btphantomlabs Hello!! 😃 The attack vector is command injection in the branch name whenever you make a codex task (HTTP request to Codex API like you said). So you intercept the request and then put bash in instead of how the request normally works and then you get the token!

@kmcquade3 @OpenAI @crew7sec @btphantomlabs What was the actual attack vector, prompt injection through malicious repo content or something in the Codex API surface itself?

I found a critical vulnerability in ChatGPT Codex!!! 😄 You can check out the full blog here: beyondtrust.com/blog/entry/ope… Super excited to finally have the blog released!!