tulip salmon
Description:
When a user has a ChatGPT Plus subscription, they can access the site during high demands with the login using the email function. However, it has been discovered that unauthorised users who do not have a valid ChatGPT Plus subscription can also access the subscriber email login page (Accounts with the option to purchase an upgrade to chatgpt plus). This is a security concern as it allows unauthorised access. The bug report outlines the steps to reproduce the issue and possible solutions.
Steps to reproduce it:
- Have the Upgrade to Plus option in the dashboard
- Press on upgrade to plus with a VPN with the location set to LONDON (Not sure if this step is required, but I will put this in)
- An error should occur
- It works with incognito mode and non-incognito mode, too, but I will open a new incognito mode
- Go to chat.openai.com
- Type the email and press send
- An email should appear in the inbox
- The authentication link works, and you are in.
- Tested with accounts with no upgrade option, does not work
How to resolve: - Ban VPN usage to access ChatGPT
- Ping the payment provider for every request to check active subscription = true
- Keep a list of active subscription emails in a database that updates every 5 minutes (less than 5 minutes will waste resources), and each request should be compared with the list.
————-
PS: The bug has already been reported using chat support function. Don’t know if the dev will see it or not, so I came here. If this helps, I don’t mind free ChatGPT plus as a reward. (:
blazing falcon