The National Information Technology Development Agency (NITDA) has issued an urgent cybersecurity advisory, warning Nigerians about new vulnerabilities in ChatGPT that could expose users to data-leakage attacks.
The notice was released through the agency’s Computer Emergency Readiness and Response Team (CERRT.NG).
The advisory came amid growing concerns over AI-powered tools interacting with unsafe web content and the increasing reliance on ChatGPT for business, research, and public-sector tasks.
According to the advisory, researchers discovered seven vulnerabilities affecting GPT-4o and GPT-5 models, which allow attackers to manipulate ChatGPT through indirect prompt injection. Hidden instructions embedded in webpages, comments, or URLs can trigger unintended commands during normal browsing, summarisation, or search actions.
“By embedding hidden instructions in webpages, comments, or crafted URLs, attackers can cause ChatGPT to execute unintended commands simply through normal browsing, summarisation, or search actions,” the agency stated.
Some flaws could bypass safety controls by masking malicious content behind trusted domains, while others exploit markdown rendering bugs, allowing hidden instructions to pass undetected. In severe cases, attackers could poison ChatGPT’s memory, forcing the system to retain malicious instructions that influence future conversations. NITDA noted that although OpenAI has patched parts of the issue, large language models (LLMs) still struggle to distinguish genuine user intent from malicious data reliably.
The agency warned that these vulnerabilities could result in unauthorised actions by the model, unintended exposure of user information, manipulated or misleading outputs, and long-term behavioural changes caused by memory poisoning. Users may unknowingly trigger attacks, even without direct interaction, especially when ChatGPT processes search results or webpages that contain hidden, malicious instructions.
To mitigate risks, NITDA advised Nigerians, businesses, and government institutions to limit or disable the browsing and summarisation of untrusted websites within enterprise environments and enable features like browsing or memory only when necessary. The regulatory agency also recommended regularly updating deployed GPT-4o and GPT-5 models to ensure all known vulnerabilities are patched.
We’ve got the edge. Get real-time reports, breaking scoops, and exclusive angles delivered straight to your phone. Don’t settle for stale news. Join LEADERSHIP NEWS on WhatsApp for 24/7 updates →
Join Our WhatsApp Channel
