OpenAI Partners With Axios, ChatGPT Crawler Can Be Tricked Into Initiating DDoS Attacks

When OpenAI launched its ChatGPT chatbot in November 2022, the world was mesmerized by its capabilities.

As a result, the GenAI-powered (generative artificial intelligence) tool amassed over one million users in less than five days, while hitting the hundred million mark in just two months.

It’s no surprise too, considering the chatbot could reply to users as if it were just another person. Users could simply ask a question and the chatbot could spit out long-form text instantly.

However, there were a few downsides.

Such chatbots couldn’t provide answers based on current scenarios, or anything that was in the news. The problem was that it was trained entirely on old data and never had access to new bits.

Ultimately, this issue was ironed out as artificial intelligence (AI) technology companies building such chatbots began partnering with various diverse content platforms, including the largest news publishers such as Axel Springer, Associated Press, Condé Nast, TIME, NewsCorp, Reddit, and others.

All in all, these moves span around 20 media organizations, 160 news outlets, and hundreds of content brands across over 20 languages.

The idea was to bring real-time events to the answers provided to users, as well as enable the chatbot to generate better answers. This also helps news publishers as they get better access to OpenAI’s tools, allowing journalists to enhance time-consuming tasks while publishers can explore new ways to reach readers through ChatGPT.

Essentially, these partnerships enable the creation of a healthy news ecosystem, and OpenAI has not stopped partnering up.

Recently, OpenAI announced that it was partnering with Axios to expand its work with the news industry.

This comes with a new content partnership for OpenAI and funding for Axios, in addition to other benefits. The funding will help Axios expand its local news coverage by building newsrooms powered by ChatGPT in four new cities—Pittsburgh (Pennsylvania), Kansas City (Missouri), Boulder (Colorado), and Huntsville (Alabama).

“We launched Axios Local nearly four years ago with the bold goal of bringing local news to communities across the country,” said Jim VandeHei, Axios Co-founder and CEO. “OpenAI’s investment allows us to continue our expansion and aid us in bringing essential local news to deserving audiences.”


Interestingly, following this reveal, Axios published a news article that spoke about a top AI company gearing up to announce a next-level breakthrough soon, which would see the emergence of PhD-level super-agents.

While the release did not mention which company is behind this, it did explicitly state the company was “possibly OpenAI”.

One of the telling factors in this case is that OpenAI CEO Sam Altman is in Washington for President-elect Donald Trump’s inauguration and has reportedly scheduled a closed-door meeting with US government officials on January 30.

These super-powered, PhD-level agents are capable of tackling messy, multilayered, real-world problems that vex even the best of humans at times. These agents don’t just respond to simple commands but go above and beyond to achieve the end goal.

For example, telling the agent to build a new payment software application would result in it designing, testing, and delivering a fully functioning product. Essentially, they can execute complete processes with speed, accuracy, and throughput.

However, one concern with such tools is that they might still have reliability and hallucinatory hangovers as the early chatbots had. That’s unless OpenAI has figured out how to bypass such issues.

That’s still a ways away, especially without knowing if the announcement will be of PhD-level agents and if that announcement will come from OpenAI.

For now, there’s a bigger bug in the system for OpenAI.

According to German security researcher Benjamin Flesch, OpenAI’s ChatGPT crawler can be used to initiate distributed denial of service (DDoS) attacks on arbitrary websites.

Through a post on GitHub, Flesch explains how a single HTTP request to the ChatGPT API can cause it to bombard a website with network requests ChatGPT crawler ChatGPT-User, amplifying a single API request into 20 to 5,000 or more requests.

An excerpt from the post reads, “ChatGPT API exhibits a severe quality defect when handling HTTP POST requests to https://chatgpt.com/backend-api/attributions. The API expects a list of hyperlinks in parameter URLs. It is commonly known that hyperlinks to the same website can be written in many different ways.”

“Due to bad programming practices, OpenAI does not check if a hyperlink to the same resource appears multiple times in the list. OpenAI also does not enforce a limit on the maximum number of hyperlinks stored in the URLs parameter, thereby enabling the transmission of many thousands of hyperlinks within a single HTTP request.”

The post further contains Proof of Concept, as well as a disclaimer stating that as of January 10, 2025, the defect was not corrected by OpenAI or its primary backer Microsoft, while neither company acknowledged the issue’s existence.

Do you think OpenAI’s partnerships with news agencies and content brands will allow it to lead the GenAI-powered chatbot space? Do you think the company has a responsibility to its product to ensure that it shouldn’t be able to engage in harmful activities, such as deploying DDoS attacks?

Let us know in the comments below!