Glitch or the server was hacked

PaulBellow · 2023-08-24T23:46:12.892Z

Did you have the key on the back-end server or embedded into your app? Good on changing it.

Are you saying you’re not using GPT-4 model at all? It really seems like you’ve got a key leak somewhere…

luiseduardoribeirogu · 2023-08-24T23:52:31.681Z

The model in question that I don’t use is the gpt-3.5-turbo-16k, I haven’t used it for a long time. I have no other members in my organization. I never got to use more than 20,000 tokens while using the api. I was already close to the limit, the api did not respect the limit that was set and made requests above the limit

luiseduardoribeirogu · 2023-08-24T23:56:16.870Z

Another one appeared but it’s close to the time of the previous one in 5 minutes

chrome_6a3cmRvaHq765×266 14.6 KB

PaulBellow · 2023-08-24T23:57:26.837Z

Do you have more than one key?

I would reach out to help.openai.com if you haven’t yet. Good luck.

luiseduardoribeirogu · 2023-08-24T23:59:39.133Z

Not just the new one I generated after deleting the previous one. The system does not allow having 0 keys

luiseduardoribeirogu · 2023-08-25T00:01:22.421Z

I want to remove my credit card but there is no option to do that

_j · 2023-08-25T00:03:33.425Z

Delete all your API keys, with final new one and ensure the old one is is the one deleted (would be nice if you could delete them all) stop using the API for a while, and see if someone is still using the account in the five minute increments.

Your requests with prior API keys should fail (although conceivably this deletion could take time to propagate through their infrastructure). Do not put the new one into any application besides one on your local machine to test.

The only way usage could then occur is if you (or someone that stole your password) went into your organization in your account and invited a new member to the organization. An organization member (a “reader”) can bill their own API keys to your account.

A final cause could be some database corruption on OpenAI’s part, where they aren’t correctly recording API usage. If the charges remain, you’ll have to inform them by help.openai.com assistant messages that the account billing needs correction and the problem needs looking into.

luiseduardoribeirogu · 2023-08-25T00:06:43.373Z

I reported it on the OpenAi Help but, for irony of destiny, it’s a chatbot

novaphil · 2023-08-25T04:09:22.455Z

luiseduardoribeirogu:

The key is encrypted, I don’t think it’s a simple key leak

Encrypted where? If this was in a client-side JS app, or mobile or desktop app it can still be captured by nefarious individuals.

luiseduardoribeirogu · 2023-08-25T11:19:13.678Z

OpenAi already refunded me today and the attack stopped when the key was deleted. Thanks everyone for the support

_j · 2023-08-25T11:30:05.560Z

novaphil:

If this was in a client-side JS app, or mobile or desktop app it can still be captured by nefarious individuals.

And to think 23 hours ago I wrote “Do not put your API key in client code. You are not as clever as a determined attacker. Treat it like your bank password.”

luiseduardoribeirogu · 2023-08-25T12:36:57.468Z

It was on the client side to reduce server costs but the key was encrypted, the api code was obfuscated and needed a password provided by the user to decrypt the key

PaulBellow · 2023-08-26T22:22:06.173Z

luiseduardoribeirogu:

It was on the client side to reduce server costs

That’s likely your leak…

luiseduardoribeirogu · 2023-08-27T00:00:46.140Z

I’m absolutely sure it wasn’t, I don’t need a master’s degree in cybersecurity to know that

luiseduardoribeirogu · 2023-08-27T00:03:44.793Z

There was no damage because I look at my email box, if I didn’t look they could have charged $300 like they had in another case on the forum

luiseduardoribeirogu · 2023-08-27T00:05:55.012Z

My code is not targeted by hackers, OpenAI on the other hand must have attack attempts every day

elmstedt · 2023-08-27T02:09:24.785Z

If the key was stored on the client-side—even encrypted—you are vulnerable.

It’s unlikely they would have attacked the encryption itself, but if there were any errors made in the implementation of it the key would be vulnerable to pretty much any attack.

But, users have passwords to unlock the key in order to submit API calls to OpenAI. Once the key is decrypted, it can be sniffed out from the packets sent to the API endpoint.

So, when @PaulBellow suggested that was the most likely source of your leak, he is correct.

Is it possible someone or some organization hacked OpenAI and got ahold of your API credentials? Sure, why not.

But, between that and someone gaining access to an API key on their system for which they have a password with which to decrypt that key…

I think it’s peak hubris to assert,

luiseduardoribeirogu:

I’m absolutely sure it wasn’t

RonaldGRuckus · 2023-08-27T02:14:44.460Z

luiseduardoribeirogu:

It was on the client side to reduce server costs but the key was encrypted, the api code was obfuscated and needed a password provided by the user to decrypt the key

How exactly does this work? If the user is sending the API request then the network logs would display the unencrypted information.

If I understand correctly the user would store the encrypted key locally. The user would send the key & password so the server can decrypt it and make the call? So you don’t have to store their key? But you say the API code is obfuscated? I’m assuming it’s the code to your API?

So you have a universal key? I don’t understand. How are you identifying your users?

luiseduardoribeirogu · 2023-08-28T19:54:12.313Z

Graph of API usage, this last peak was on the day of the attack. it was already reaching the configured limit, every other time the limit was reached the service was cut off instantly. However, on the day of the attack, the use of the api greatly exceeded the configured limit until the key was erased.

chrome_uJvof8bZTX715×238 4.04 KB

catchtt · 2023-11-13T15:57:08.883Z

This post was flagged by the community and is temporarily hidden.