Comment by bflesch
1 day ago
Ego, curiosity, potential bug bounty & this was a low hanging fruit: I was just watching API request in Devtools while using ChatGPT. It took 10 minutes to spot it, and a week of trying to reach a human being. Iterating on the proof-of-concept code to increase potency is also a nice hobby.
These kinds of vulnerabilities give you good idea if there could be more to find, and if their bug bounty program actually is worth interacting with.
With this code smell I'm confident there's much more to find, and for a Microsoft company they're apparently not leveraging any of their security experts to monitor their traffic.
Make it reflective, reflect it back onto an OpenAI API route.
Lol but actually this is a good way to escalate priority. Better yet, point it at various Microsoft sites that aren't provisioned to handle the traffic and let them internally escalate.
In my experience, that'd turn into a list of exceptions, rather than actually fixing the problem.
I'm not a malicious actor and wouldn't want to interrupt their business, so that's a no-go.
On a technical level, the crawler followed HTTP redirects and had no per-domain rate limiting, so it might have been possible. Now the API seems to have been deactivated.