When GPT Spills the Tea: Comprehensive Assessment of Knowledge File Leakage in GPTs

TL;DR

This paper conducts a comprehensive risk assessment of knowledge file leakage in GPTs, identifying five leakage vectors and demonstrating a high success rate of privilege escalation via the Code Interpreter tool, with significant implications for data security.

Contribution

It introduces a novel workflow inspired by DSPM for assessing GPT knowledge file leakage and uncovers multiple leakage vectors and a privilege escalation vulnerability.

Findings

Identified five key leakage vectors in GPTs.

Demonstrated a 95.95% success rate in privilege escalation via Code Interpreter.

Found that 28.80% of leaked files are copyrighted or sensitive.

Abstract

Knowledge files have been widely used in large language model (LLM) agents, such as GPTs, to improve response quality. However, concerns about the potential leakage of knowledge files have grown significantly. Existing studies demonstrate that adversarial prompts can induce GPTs to leak knowledge file content. Yet, it remains uncertain whether additional leakage vectors exist, particularly given the complex data flows across clients, servers, and databases in GPTs. In this paper, we present a comprehensive risk assessment of knowledge file leakage, leveraging a novel workflow inspired by Data Security Posture Management (DSPM). Through the analysis of 651,022 GPT metadata, 11,820 flows, and 1,466 responses, we identify five leakage vectors: metadata, GPT initialization, retrieval, sandboxed execution environments, and prompts. These vectors enable adversaries to extract sensitive knowledge file data such as titles, content, types, and sizes. Notably, the activation of the built-in tool Code Interpreter leads to a privilege escalation vulnerability, enabling adversaries to directly download original knowledge files with a 95.95% success rate. Further analysis reveals that 28.80% of leaked files are copyrighted, including digital copies from major publishers and internal materials from a listed company. In the end, we provide actionable solutions for GPT builders and platform providers to secure the GPT data supply chain.