2026-02
Data Leakage
OpenAI

ChatGPT DNS covert channel let a single prompt exfiltrate conversation data

What happened

Check Point Research found that ChatGPT's Linux code-execution runtime could resolve attacker-controlled DNS queries, turning domain lookups into a hidden outbound channel. A single crafted prompt — or logic baked into a malicious custom GPT — could instruct the model to encode a conversation's most sensitive content into DNS requests, which were never treated as data sharing and raised no alerts.

Impact

Chat messages, uploaded files, and derived insights could be silently siphoned with no user permission dialog; OpenAI deployed a fix on 2026-02-20 with no reported in-the-wild exploitation.

How this could have been prevented

Treating all outbound protocols including DNS as monitored egress, and sandboxing the model runtime from arbitrary network resolution, closes the covert channel.

Sources

More data leakage incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo