Imagine this: you’re asking ChatGPT to help with something you really don’t want anyone else to see. Maybe it’s a lab report with your name on it. Maybe it’s a resignation letter you haven’t sent yet. Maybe it’s a contract, a financial spreadsheet, or a private message you’re trying to word carefully.
You assume it stays between you and your “personal assistant’ until you approve sending it somewhere else. But the Israeli cybersecurity company Check Point’s research says that assumption may not have always held up.
The company found a weakness in ChatGPT’s system that could allow someone to extract data without triggering any alarms. According to Check Point Software Technologies, there is a small hole in the code that could be used to move data around without triggering the usual alert warnings.
OpenAI said in late 2025 that it was serving more than 800 million users a week, and separate OpenAI research found users were already sending about 18 billion messages weekly by July 2025. People don’t just use it for jokes or curiosity. They use it to review spreadsheets, summarize contracts, draft emails, write code, polish presentations, and make sense of medical or financial language that can feel overwhelming on its own.
We are not just talking about a chatbot that people use for fun every now and then. This is a system that many people use as a helper for their work, a partner for writing, a tool for research, and sometimes even as someone to talk to about personal decisions. If there is a hidden flaw in a system like this, it is not just a problem with the technology. It is a problem with trust.
Check Point said the flaw sat inside the runtime ChatGPT uses for data analysis and Python-based tasks. You can think of that runtime as a sealed workspace inside the product, a place where files can be processed and code can run without freely reaching out to the wider Internet. According to the research, normal outbound web traffic was blocked, but one background function remained available: Domain Name System (DNS) resolution, the system by which computers use to find websites.
That one small function was all that was needed. By taking advantage of a weakness in DNS, attackers could create a secret way to move information out of a secure area.
This is called “DNS tunneling,” but it’s not as complicated as it sounds. Basically, instead of sending data through normal Internet traffic, the attacker hides tiny bits of it inside what looks like a regular request to look up a website. It’s like sneaking a small message inside a harmless-looking package. The attacker can then use this secret tunnel to slowly move information out of the environment, without being detected.
ChatGPT does have approved ways to connect with outside services. GPT Actions, for example, is supposed to be visible and require user approval before data is sent elsewhere. Check Point said the flaw it found sidestepped that model, because the assistant behaved as if the code execution environment could not send data outward directly. In other words, the system didn’t recognize the activity as an external transfer that needed to be blocked or shown to the user.
How the potential leak could work
Check Point said that the attack could begin with something as ordinary as a prompt, the text instruction a user pastes into ChatGPT.
Prompt-sharing has become a popular trend. People copy prompts from LinkedIn posts, Reddit threads, newsletters, forums, Slack groups, and “best prompts” lists every day. Most of the time, they don’t stop to wonder where that text actually came from.
That gave attackers a natural disguise. A malicious prompt could be framed as a writing shortcut, a productivity trick, or even a hack for getting premium-style behavior. And let’s be honest, many legitimate prompts already look strange. They’re long, overly detailed, and packed with clunky instructions. So, if one more odd-looking prompt shows up in your feed, you probably wouldn’t think twice.
Once that prompt was in place, Check Point said later messages in the conversation with ChatGPT could become a source of leaked information. That could include what you typed, text pulled from uploaded files, and, crucially, the model’s own summaries and conclusions.
While exposing your own personal files is a huge issue, the access to the model’s summaries are actually more problematic. An attacker may not care about a raw 30-page contract if the model can boil it down to the four clauses that actually matter. They may not want the full medical report if ChatGPT has already summarized the likely diagnosis, the red flags, and the next step. They may not need the whole quarterly spreadsheet if the system produces a neat paragraph explaining the financial risk.
In that sense, the research describes something more serious than simple document theft. It describes the possible theft of the most useful insight inside the document.
If a trusted AI system reads something sensitive, turns it into something concise and valuable, and quietly sends that result elsewhere, the damage may be worse than if the original file leaked on its own.
How does this impact everyday users?
Check Point’s report has come out at a time when people are using AI tools for far more than casual questions. OpenAI’s own research said about 30% of consumer ChatGPT usage is tied to work, while most conversations, overall, center on practical guidance, information, and writing. That means millions of users are feeding these systems material that is commercially sensitive, personally identifying, or simply private.
The real-world applications are endless. A lawyer uploads a draft agreement. A startup founder pastes in a fundraising memo. A manager asks for help rewriting a performance review. A parent wants help understanding a child’s blood test. A student drops in a scholarship essay that includes personal details. A job seeker asks ChatGPT to improve a cover letter that mentions a current employer. None of those people thinks of themselves as taking a cybersecurity risk. They think they’re just getting help.
That is why this kind of weakness is so unsettling. Could most users spot an attack like this while it was happening? Probably not. If the answers still come back polished, the conversation still feels normal, and there’s no warning on screen, then you have very little reason to think anything is wrong.
Custom GPTs makes risk of undetected attacks even higher
Check Point said the risk became even more serious when the same behavior was embedded in a custom GPT. In that scenario, the attacker would not need to persuade someone to paste a suspicious prompt into a regular chat at all. The malicious behavior could be built into a specialized GPT’s instructions or files, while the user believed they were simply opening a tool designed for a specific purpose.
Custom GPTs are often preset bots marketed around convenience and expertise: legal drafting, marketing plans, interview prep, budgeting, customer support, study help, and health guidance. The specialization makes them feel safer, not riskier. If something looks like a purpose-built assistant, many users are more likely to trust it, not less. Custom GPTs are also specifically programmed to produce certain results that users with similar inquiries will be satisfied with, so for a lot of these requests, it’s quite appealing to seek out a specific GPT rather than asking the generic chatbot.
To illustrate the point, Check Point emulated a proof of concept involving a “personal doctor” GPT. In the demonstration, a user uploaded lab results containing identifying information and asked the system to interpret symptoms and the medical findings. From the user’s point of view, everything looked normal. The GPT responded as expected, and the assistant even said, after being asked, that the uploaded data had not been sent anywhere.
Behind the scenes, however, Check Point said the attacker’s server received both the patient’s identity from the file and the model’s medical assessment. No approval prompt appeared. No visible signal informed the user that any data had left the session.
From quiet leakage to remote access
Check Point said the same covert channel could also be used for something more aggressive than data theft. Once a two-way path existed between the runtime and an attacker-controlled server, the researchers said it could be used to send commands into the Linux container used for code execution and receive results back through the same route. In effect, the company said, that amounted to remote shell access inside the runtime.
Put simply, it would mean the attacker was not just extracting information. They could potentially operate inside the environment where ChatGPT was performing analysis tasks. And because those commands would not need to appear in the visible conversation, the activity could take place outside the normal chat flow and beyond the assistant’s usual safeguards.
Check Point said it disclosed the issue to OpenAI, which confirmed it had already identified the underlying problem internally and fully deployed a fix on February 20, 2026. That lowers the immediate risk, but it doesn’t erase the broader lesson, nor does it indicate how many bad actors found this exploit before it was resolved.
AI assistants are no longer just chat windows. They are becoming working environments, places where we upload files, run code, analyze records, and generate high-value conclusions from sensitive material.
Check Point’s study used only ChatGPT; however, it argues that the findings do not warrant separate case studies for Claude or Gemini, but rather call for a more hands-on, monitored approach to AI security across the board.
Meanwhile, as this evolution continues, the security question changes too. It’s no longer only about whether the model gives a useful answer. It’s whether the invisible infrastructure under that answer can be trusted.
For now, one doesn’t need to stop using AI entirely, but think twice, and reconsider that “your personal assistant” may be communicating with someone else.
When you hand private information to an AI system, you assume the walls around that system are solid. The reality is that those walls may depend on technical layers that most of us will never see, and probably won’t think to question until something goes wrong.
