I found the tone in the article annoying, but my skim reading was that it is an actual vulnerability. The screenshot from OpenAI loads an image from a third-party site and the URL of the image might have all sorts of details etc.
I think the viewer should have some CSP policy in place to not do that.
That being said, if it was closed as "Not Applicable" it gives me a bit of reason to wonder if some crucial details about the whole chain was either not articulated or mentioned by PromptArmor. Maybe for other reasons it is not actually reasonable to put that on OpenAI site. I'm not sure on the spot. But on a skim read it looks like a legit vulnerability from OpenAI's part that they should fix.
I really wish PromptArmor just opened with "OpenAI's log viewer page lacks CSP policies, so it can load arbitrary URL images and here is an example how such things can easily end up on that page". This was really annoying to read but I kept going because I was curious was it a legit thing or not...
Edit: I don't know if the article was edited just now but there is a clarification paragraph that actually makes it a bit more clear. PromptArmor if you are reading this, I wonder if my gut reaction of being skeptical simply because of the tone and presentation is a common thing and there are ways to both be convincing right at the start of an article, but still allowing yourself to be marketing-like. I probably would have started with a paragraph that dryly describes exactly the vulnerability "OpenAI's Log viewer is not secure against maliciously crafted logs, which can result in data exfiltration. On this page, we show a realistic scenario by which a malicious third-party can sneak in an image URL to this page and exfiltrate data." and then go on with the rest of the article.
The post itself is pretty comprehensive. I'm not sure they need to pinpoint the exact attack surface in the TLDR, but your version isn't exactly correct as they point out three mitigations and only one of them is a CSP policy for the API Log viewer.
Yeah I agree. I think even if you block CSP images, attacker could still hide information, or attempted exfiltration.
The post got me now instead wondering how to not make people shallowly dismiss perfectly fine articles for dumb reasons, like I almost did. It's not even that unclear what the attack is, in the article's its opening when I look at it now again, and I now went around their posts to see how PromptArmor generally does their writing because I got curious about the writing part...
I've seen in the past vulnerabilities that were way overblown but hyped up, so this made me notice how that armor has made me be skeptical whenever some article like this feels it combines marketing + vulnerability reporting.
I think the viewer should have some CSP policy in place to not do that.
That being said, if it was closed as "Not Applicable" it gives me a bit of reason to wonder if some crucial details about the whole chain was either not articulated or mentioned by PromptArmor. Maybe for other reasons it is not actually reasonable to put that on OpenAI site. I'm not sure on the spot. But on a skim read it looks like a legit vulnerability from OpenAI's part that they should fix.
I really wish PromptArmor just opened with "OpenAI's log viewer page lacks CSP policies, so it can load arbitrary URL images and here is an example how such things can easily end up on that page". This was really annoying to read but I kept going because I was curious was it a legit thing or not...
Edit: I don't know if the article was edited just now but there is a clarification paragraph that actually makes it a bit more clear. PromptArmor if you are reading this, I wonder if my gut reaction of being skeptical simply because of the tone and presentation is a common thing and there are ways to both be convincing right at the start of an article, but still allowing yourself to be marketing-like. I probably would have started with a paragraph that dryly describes exactly the vulnerability "OpenAI's Log viewer is not secure against maliciously crafted logs, which can result in data exfiltration. On this page, we show a realistic scenario by which a malicious third-party can sneak in an image URL to this page and exfiltrate data." and then go on with the rest of the article.