Api Key Authentication Vulnerability

Yidadaa · April 20, 2023, 7:39am

Hello OpenAI Team,

I am the author of the open-source project ChatGPT Next Web.

Today, I received reports from my users regarding a vulnerability in OpenAI’s Api Key authentication system. When a user’s Api Key is leaked, an attacker can easily use the undisclosed interface to create new Api Keys in bulk. This is obviously not an acceptable practice, and I recommend that you review all of your undisclosed interface authentication mechanisms and strictly limit access to Api Keys.

Here is an example of a possible attack:

curl -i https://api.openai.com/dashboard/user/api_keys \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer sk-leaked-api-key" \
  -d ' {
    "action": "create",
    "name": "key-name"
    }'

This request can be used with a user’s leaked Api Key to generate new Api Keys without any restrictions.

Please let me know if you need any further information or if I can be of any assistance in addressing this issue.

thefourcraft · April 20, 2023, 7:45am

@Yidadaa

Yidadaa · April 20, 2023, 7:58am

Thank you for the reminder, I’ll follow the document to report the issue.

shantanu.oak · May 22, 2023, 11:17am

Can a leaked API key increase the limit to $120?

shravank28 · June 28, 2023, 2:52pm

If the leaked Key is been deleted from the Account. Can this be still possible to generate a new key?

Foxabilo · June 28, 2023, 3:03pm

Hi Shravan,

It should not be possible for a user with a deleted API key to generate a new one or alter any account details.

Yidadaa · June 29, 2023, 9:56am

Update: this has been fixed by OpenAI.