What Happened
Security researcher Johann Rehberger demonstrated that a prompt injection delivered through a malicious website or image could write persistent instructions into the ChatGPT macOS app's long-term memory. Unlike a one-off injection, the implanted directive survived across sessions and quietly forwarded every future conversation to an attacker-controlled server using invisible image rendering. He dubbed the technique SpAIware, effectively turning the memory feature into persistent spyware.
Impact
A single exposure to poisoned content could result in indefinite, cross-session leakage of a user's private conversations without any further attacker access. OpenAI shipped a fix that blocked the image-based exfiltration vector, though the underlying risk of untrusted content writing to memory remained.
How to Prevent This
- Do not allow untrusted content (web pages, images, files) to write into persistent AI memory
- Disable automatic image/URL fetching in assistant output to close exfiltration channels
- Surface and require user confirmation for any new long-term memory the assistant tries to store
- Let users easily review, audit, and purge stored memories
- Isolate memory writes behind an instruction boundary that ignores directives originating from ingested data