Prompt InjectionHigh

SpAIware: Persistent Data Exfiltration Planted in ChatGPT Long-Term Memory

OpenAI

What Happened

Security researcher Johann Rehberger demonstrated that a prompt injection delivered through a malicious website or image could write persistent instructions into the ChatGPT macOS app's long-term memory. Unlike a one-off injection, the implanted directive survived across sessions and quietly forwarded every future conversation to an attacker-controlled server using invisible image rendering. He dubbed the technique SpAIware, effectively turning the memory feature into persistent spyware.

Impact

A single exposure to poisoned content could result in indefinite, cross-session leakage of a user's private conversations without any further attacker access. OpenAI shipped a fix that blocked the image-based exfiltration vector, though the underlying risk of untrusted content writing to memory remained.

How to Prevent This

  • Do not allow untrusted content (web pages, images, files) to write into persistent AI memory
  • Disable automatic image/URL fetching in assistant output to close exfiltration channels
  • Surface and require user confirmation for any new long-term memory the assistant tries to store
  • Let users easily review, audit, and purge stored memories
  • Isolate memory writes behind an instruction boundary that ignores directives originating from ingested data

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment