~/fletcherface

making robots do things they shouldn't

$ cat post.meta
date:
platform: OpenAI / Bugcrowd
severity: High
status: submitted

Follow-Up: Google Redirects, Multi-Hop Chains, and What OpenAI Said They Fixed

After the initial hidden link finding, follow-up testing revealed multi-hop navigation chains, a Google open redirect bypass that OpenAI's own paper claimed was fixed, and response injection across page boundaries.

#ai-security #prompt-injection #openai #bug-bounty

Previously

In the first post, I showed that ChatGPT’s Pro mode agent autonomously follows <a href> links hidden in near-invisible CSS text. The agent clicks links from content humans can’t see, sending requests to attacker-controlled servers.

After submitting that finding to Bugcrowd, I ran follow-up tests to map the boundaries of the behavior. Some of these results made it into an addendum on the original submission. Some got dropped because they weren’t novel enough to include. Here’s all of it.

Multi-Hop Navigation Chains

The original finding showed the agent clicking links on a single page. The next question: what happens when those links lead to more attacker pages with more hidden links?

I set up a chain of five pages, each containing hidden links to the next one in the sequence. Each page had a unique canary term — a distinctive fake phrase that would only appear in the agent’s response if it read that specific page.

Result: 2-hop depth confirmed. The agent navigated from page A to page B to page C, then stopped. It didn’t reach pages D or E. The chain-2 canary term (“lactate shuttle hypothesis”) appeared in the final response, along with a fabricated citation (Lindqvist, M. 2026) presented as if it were real.

Two hops might not sound like much, but it means an attacker doesn’t just control one page of injected content — they control a tree of pages. Hidden links on page A lead to page B, which can contain entirely different injected content, instructions, or further links. The agent treats each page as independent legitimate content.

Google Open Redirect: The Fix That Didn’t

This one’s interesting because of what OpenAI has publicly claimed.

In January 2026, OpenAI published a paper called “Preventing URL-Based Data Exfiltration in Language-Model Agents” describing their Safe URL system. The paper includes Figure 3, which explicitly shows the google.com open redirect as a known bypass vector. They explain that they moved from a domain allowlist to a URL-index-based approach, and state that open redirects are “no longer an issue.”

So I tested it.

The Setup

A hidden link pointing to google.com/url?q=attacker-domain. Google’s URL redirect service bounces the request through google.com — a domain the agent deeply trusts — and lands on the attacker’s server.

The Result

PAGE_VISIT | ChatGPT-User/1.0 | slug: google-redir-test
EXFIL      | ChatGPT-User/1.0 | via: google-redirect
EXFIL      | ChatGPT-User/1.0 | via: google-redirect
EXFIL      | ChatGPT-User/1.0 | via: direct

All three links followed. Both Google redirect links and the direct link. The agent visited google.com/url, got 302’d to the attacker domain, and made the request. Tested twice across separate sessions with the same result.

This isn’t a new attack concept — OpenAI knows about it and wrote about it in their paper. The point is that their claimed mitigation doesn’t fully work. The URL-index approach was supposed to solve this. It didn’t.

Other Redirectors

For comparison, I tested YouTube and Bing redirect endpoints in the same payload. Neither was followed. Google’s /url endpoint specifically still works, which suggests some kind of special-casing or trust relationship with google.com that survives the redirect.

Response Injection via Canary Terms

Across multiple tests, a consistent pattern emerged: fake terms planted in hidden text reliably appeared in the agent’s response to the user. This isn’t just the agent “reading” hidden text — it’s the agent incorporating attacker-controlled content into its answer as if it were legitimate.

In the multi-hop tests, a fabricated researcher name and citation from page C showed up in the response about page A. The user asked about page A. The answer included fake data from a page the user never knew existed, presented with full confidence.

This is response injection. The attacker doesn’t just make the agent click links — they control what the agent tells the user.

SSRF via Same-Domain 302

The scariest test involved a same-domain redirect endpoint. Instead of linking directly to internal addresses (which Safe URL correctly blocks), the hidden text linked to a path on the attacker’s own domain that returned a 302 redirect to 169.254.169.254 — the AWS metadata endpoint.

Result: 11 retry attempts over 12 minutes. The agent followed the redirect chain to the internal IP, got blocked at the network level, but kept retrying. The agent’s thinking text noted the links were “nonpublic” but it didn’t stop trying.

Direct links to internal IPs (169.254.169.254, metadata.google.internal, localhost) were all correctly filtered by Safe URL. But the same-domain redirect bypassed that filtering — Safe URL checks the initial URL, not the redirect target.

The requests ultimately failed because AWS metadata wasn’t actually there, but the behavior pattern is clear: same-domain redirects can route the agent to internal infrastructure targets that direct links cannot reach.

What Didn’t Work

Keeping the tradition of documenting failures:

  • Instant mode doesn’t browse URLs at all — zero events
  • Thinking mode doesn’t browse URLs at all — zero events
  • Meta refresh tags were ignored by the agent browser
  • YouTube redirect (youtube.com/redirect) — not followed
  • Bing redirect — not followed
  • Raw IP links (67.x.x.x:8889) — filtered by Safe URL
  • Cross-domain links to httpbin.org — not followed
  • JavaScript is completely disabled in the agent browser (confirmed via noscript fallback)

Model Scope

Only Pro mode (the agentic mode with browsing capability) is affected. Instant mode and Thinking mode don’t browse URLs, so none of these attacks apply to them. This was confirmed with dedicated test runs against each mode.

Image Pixel Loading

I also tested whether the agent browser loads tracking pixels from hidden CSS elements. It does — all four pixel types loaded, including CSS-hidden ones, generating 52 events from ChatGPT-User/1.0.

I dropped this from the Bugcrowd submission because it’s not novel. OpenAI’s paper explicitly discusses image loading as an exfiltration vector, and the ShadowLeak research from 2025 already demonstrated server-side image exfil from the Deep Research agent. It’s also just normal browser behavior — browsers load images regardless of CSS visibility rules.

Including a well-documented finding would have weakened the submission. Know when not to overclaim.

The Bigger Picture

The follow-up testing mapped out a clearer picture of the attack surface:

  1. Multi-hop chains mean an attacker controls a tree of content, not just a single page
  2. Google open redirect bypasses a mitigation OpenAI specifically claimed to have solved
  3. Response injection means the attacker controls what the user sees in the answer
  4. Same-domain 302s can route agent requests toward internal infrastructure
  5. JavaScript being disabled is actually a meaningful security boundary — a lot of potential attacks die here

The common thread: Safe URL checks the initial URL but not the full redirect chain. Domain trust (especially for google.com) creates bypass opportunities. And the agent’s willingness to follow hidden links compounds with each of these behaviors.

These findings were submitted as a follow-up addendum to the original report through OpenAI’s bug bounty program on Bugcrowd.