Check Point Research found that ChatGPT's Linux code-execution runtime could resolve attacker-controlled DNS queries, turning domain lookups into a hidden outbound channel. A single crafted prompt — or logic baked into a malicious custom GPT — could instruct the model to encode a conversation's most sensitive content into DNS requests, which were never treated as data sharing and raised no alerts.
Chat messages, uploaded files, and derived insights could be silently siphoned with no user permission dialog; OpenAI deployed a fix on 2026-02-20 with no reported in-the-wild exploitation.
Treating all outbound protocols including DNS as monitored egress, and sandboxing the model runtime from arbitrary network resolution, closes the covert channel.
Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.
Request a demo