HQ/EMEAFind out how we can help your business
Hackers exploited a flaw in the OpenAI account validation to acquire potentially unlimited free credit by registering new accounts with the same number. The AI company, OpenAI, has gained traction in the past months, especially in its ChatGPT project. The OpenAI platform provides them with free credit as part of a trial period when new users register with a new account.
The company applied email and phone number validation prompts to prevent abuse. The feature could prevent users from registering multiple accounts with identical phone numbers or emails.
The registration process initiates with a user giving an email account to which an activation link is deployed. Accessing the link will require a user to provide a phone number to receive the validation code sent through an SMS.
An unauthorised individual could bypass the OpenAI feature through a vulnerability.
Potential attackers could bypass the OpenAI validation mechanism through a catch-all email address on a private domain and exploit a flaw in the phone number verification process established by the AI company.
The researchers discovered that attackers could bypass validation by intercepting and altering the OpenAI API request. Hence, the platform would provide variations of the same number while providing free credit for multiple accounts.
Further analysis revealed that the issue is that the user-supplied phone number was first reviewed by one feature against the previously registered numbers to ensure that it had not been used by someone before.
Subsequently, the platform will pass the phone number to a different component that sanitised it before using it for the validation process. This detail could enable attackers to prepend zeros and inline non-ASCII bytes to the identical number to bypass the first assessment. These checks could avoid red flags since they are not identical to the original value but still use the same number for validation.
Lastly, the security firm noted that the AI company could resolve the issue by running the normalisation method before processing the value. This process could ensure the check for every registered number.
