OpenAI introduces Lockdown Mode to curb prompt injection risks
The tech giant aims to mitigate data exfiltration threats, though it acknowledges that vulnerabilities persist via cached content and uploaded files.
OpenAI has launched Lockdown Mode, a new security feature for ChatGPT designed to mitigate risks associated with prompt injection attacks and protect sensitive data. The update disables live web browsing, web image retrieval, deep research, and agent mode, restricting the model to cached content only. The feature is currently being rolled out to self-serve ChatGPT Business accounts and eligible personal accounts.
Prompt injection attacks involve malicious chatbot instructions hidden within webpages or other content sources, which can manipulate the AI's behaviour or accuracy. To counter this, Lockdown Mode restricts the model's ability to interact with live internet data. While live browsing is disabled, the system retains access to cached content. Similarly, while the retrieval and display of images from the web are restricted, image generation capabilities remain enabled.
OpenAI explicitly states that the feature is not intended for all users, but rather for individuals and organisations handling sensitive data who require stricter protection against data exfiltration. The company notes that even with Lockdown Mode enabled, ChatGPT remains vulnerable to prompt injections. Malicious instructions could still appear in cached web content or in uploaded files, potentially affecting the behaviour or accuracy of a response.
The primary objective of the feature is to reduce the likelihood of sensitive data being shared or exfiltrated during such attacks, rather than providing absolute immunity. By disabling high-risk capabilities such as agent mode and deep research, OpenAI aims to create a more controlled environment for users prioritising data security over real-time information retrieval.
The specific technical mechanisms by which Lockdown Mode mitigates data exfiltration risks are not detailed in the source material. Furthermore, the exact criteria for which personal accounts are deemed eligible have not been specified. The long-term efficacy of Lockdown Mode against evolving prompt injection techniques remains unverified by independent third parties in the source material.
