Bug in open-source library redis-py caused caching issue
OpenAI, the artificial intelligence research organization, has announced that a bug in an open-source library called redis-py created a caching issue that may have exposed some users’ payment information. The incident led to the ChatGPT service being taken offline on March 20th.
Details of The Data Leak
OpenAI has revealed that a caching bug caused certain active users of ChatGPT Plus to potentially view another user’s name, email address, payment address, as well as the last four digits and expiration date of their credit card. In addition, some users may have seen partial chat histories of other users. The company estimates that approximately 1.2 percent of ChatGPT Plus users who utilized the service between 4 AM and 1 PM ET on March 20th may have been affected by this payment information leak.
Cause of The Data Leak
The company has blamed a bug in the redis-py library for the incident. The bug created a caching issue that allowed canceled Redis requests to return corrupted data for a different request. If a user requested the same type of data as someone else, the app would show them the cache data that was actually supposed to go to the other user. This is why people were seeing other users’ payment information and chat history.
OpenAI’s Response
OpenAI has fixed the bug that appeared in a specific version of Redis and commended the project’s team for being “fantastic collaborators.” To prevent such incidents from happening again, OpenAI has implemented changes in its software and practices, including adding redundant checks to ensure the data being served belongs to the requesting user and reducing the possibility of Redis cluster errors during high loads.
Conclusion
OpenAI has reached out to users who may have had their payment information exposed during the incident. The company’s response has been to fix the bug, add new checks to its software, and be prepared for similar issues in the future. This data leak highlights the challenges of using open-source software and the importance of taking steps to prevent and prepare for potential security incidents.