Basically if you think about it all actions are based on this header provided automatically from OpenAI which changes every 24 hours. However if for the same logged-in user, for some Custom GPT A and another Custom GPT B the correspondings actions are provided with the same ‘openai-ephemeral-user-id’, then this means that the custom GPT that you have access (e.g. Custom GPT A) can retrieve this information and use it maliciously in Custom GPT B. Which is a critical security issue.
2 Likes
According to my experimentation, HTTP_OPENAI_EPHEMERAL_USER_ID is unique per custom GPT.
I am able to get the same user ID on different chats with the same custom GPT however when the same user messages and other custom GPT the ID is different.
I could not confirm when it changes precisely yet.