The National Information Technology Development Agency (NITDA) has issued an urgent cybersecurity advisory warning Nigerians about new vulnerabilities in ChatGPT that could expose users to data-leakage attacks.
The agency released the notice through its Computer Emergency Readiness and Response Team (CERRT.NG).
The warning follows rising concerns about AI-powered tools interacting with unsafe web content and the growing dependence on ChatGPT for business, research, and public-sector tasks.
What they are saying
According to the advisory, researchers discovered seven vulnerabilities affecting GPT-4o and GPT-5 models that allow attackers to manipulate ChatGPT through indirect prompt injection.
The agency explained that hidden instructions placed inside webpages, comments, or URLs can trigger unintended commands during regular browsing, summarisation, or search actions.
“By embedding hidden instructions in webpages, comments, or crafted URLs, attackers can cause ChatGPT to execute unintended commands simply through normal browsing, summarization, or search actions,” they stated
- It added that some flaws allow the bypassing of safety controls by masking malicious content behind trusted domains. Other weaknesses take advantage of markdown rendering bugs, enabling hidden instructions to pass undetected.
- In severe cases, attackers can poison ChatGPT’s memory, forcing the system to retain malicious instructions that influence future conversations
They stated that while OpenAI has fixed parts of the issue, LLMs still struggle to reliably separate genuine user intent from malicious data.
Potential impact on users
NITDA warned that these vulnerabilities could lead to a range of cybersecurity threats, including:
- Unauthorized actions carried out by the model
- Unintended exposure of user information
- Manipulated or misleading outputs
- Long-term behavioural changes caused by memory poisoning
- CERRT.NG added that users may unknowingly trigger these attacks without clicking or interacting with anything, especially when ChatGPT processes search results or webpages containing hidden malicious instructions.
Preventive measures
The agency advised Nigerians, businesses, and government institutions to adopt several precautionary steps to stay safe. These include limiting or disabling the browsing and summarisation of untrusted websites within enterprise environments and enabling features like browsing or memory only when necessary.
It also recommended regular updates to deployed GPT-4o and GPT-5 models to ensure known vulnerabilities are patched.
What you should know
A few months ago, the agency issued a public alert warning Nigerians about a critical security flaw affecting embedded SIM (eSIM) cards used in smartphones, tablets, wearables and IoT devices.
The vulnerability was traced to the GSMA TS 48 Generic Test Profile (version 6.0 and earlier), a testing standard applied to eUICC chips. At the time, NITDA disclosed that more than 2 billion devices worldwide were exposed to risks that could allow attackers to install malicious applets, extract cryptographic keys or even clone eSIM profiles.
The agency warned that successful exploitation could result in intercepted communications, persistent device control and stealth backdoors at the SIM card level.