**security-research** Public
# OpenAI Operator – Exfiltration of Cross-origin URL
## Package
## Affected versions
## Patched versions
## Description
### Summary
Operator has several safety checks through user confirmation to mitigate Indirect Prompt Injection attacks.
However, an attacker can exfiltrate sensitive information without user confirmation by crafting a page with:
1. A link which redirects to sensitive information (e.g. OAuth code), but it does not provide useful information on the screen (or simply just an error page).
2. A text which asks Operator to provide the redirected URL to help fix the error.
Given this flow looks normal (i.e. without a classic prompt-injection-looking instruction), and Operator has agency to try a variety of actions (as long as the chain of actions are not out of context), this results in leaking a cross-origin URL that is very sensitive.
For stealthiness, the PoC only works on Operator’s browser, by detecting the availability of Operator’s Chrome extension in the browser.
### Severity
High – allows an attacker to exfiltrate highly sensitive information, like OAuth codes, by cleverly bypassing user confirmation.
### Proof of Concept
“`
Beginnings See also: Wikipedia:Wikipedia’s oldest articles, Wikipedia:First 100 pages, and User:Emijrp/FirstPages First page and edit: HomePage on 19:27, 15 January 2001 First non-stub/list article: AfghanistaN[a] on 16 January 2001
“`
### Timeline
**Date reported**: 02/27/2025
**Date fixed**: 05/08/2025
**Date disclosed**: 05/28/2025