OpenAI addresses 'chat title' bug and global outage, reveals root cause
2 min read 25 Mar 2023, 11:47 AM ISTThe company has provided an explanation for the recent global outage and the chat title bug, stating that the issue has been resolved. The company has successfully restored both the ChatGPT service and chat history feature, except for a few hours of chat history that could not be retrieved.
PremiumOpenAI announced on Wednesday that it resolved a bug that allowed a few users to view the conversation history titles of others using the popular chatbot. To fix the issue, access to chat history between 1 am PDT and 10 am PDT on March 20 was restricted. CEO Sam Altman confirmed the fix via Twitter.
The company has provided an explanation for the recent global outage and the chat title bug, stating that the issue has been resolved. The company has successfully restored both the ChatGPT service and chat history feature, except for a few hours of chat history that could not be retrieved.
According to OpenAI, the investigation revealed that the chat title bug might have resulted in the inadvertent exposure of payment-related information of 1.2 percent of active ChatGPT Plus subscribers during a specific nine-hour period. Prior to OpenAI's decision to temporarily shut down ChatGPT on Monday, some users were able to view another user's first and last name, email address, payment address, the last four digits of a credit card number, and credit card expiration date. However, full credit card numbers were not disclosed at any point.
In order to access this information, a ChatGPT Plus subscriber would have been required to do one of the following reveals OpenAI.
“Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user’s credit card number, but full credit card numbers did not appear. It’s possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this," explains OpenAI in a blogpost.
Moreover, the company revealed that if ChatGPT users clicked on "My account" and then "Manage my subscription" between 1 a.m. and 10 a.m. Pacific time on Monday, March 20, they may have been able to view other active ChatGPT Plus user's first and last name, email address, payment address, the last four digits of their credit card number, and credit card expiration date.
OpenAI has notified affected users of this potential exposure, although it's uncertain if any similar incidents occurred before March 20. The company assures users that there is no ongoing risk to their data and the bug has been fixed.
The bug was discovered in the Redis client open-source library, redis-py. The chatbot platform used Redis to cache user information on their server so it does not need to check our database for every request.
As per the company, OpenAI identified that the root cause of the chat title bug was the Redis client open-source library, redis-py. ChatGPT had been utilizing Redis to cache user information on their server, which helped them reduce the need to check their database for every request.
OpenAI confirmed that they thoroughly tested the solution to address the underlying bug and implemented additional checks to enhance the security of ChatGPT's services. The company added redundant measures to ensure that the data retrieved from the Redis cache matches the user requesting it.
