The National Information Technology Development Agency has issued an urgent cybersecurity alert, cautioning Nigerians about newly discovered vulnerabilities in ChatGPT that may put users at risk of data-leakage attacks.

The warning was issued via the agency’s Computer Emergency Readiness and Response Team.

The advisory comes amid increasing concerns over AI-powered tools accessing unsafe online content and the expanding reliance on ChatGPT for business, research, and government-related activities.

The advisory states that researchers have identified seven vulnerabilities in the GPT-4o and GPT-5 models, which could enable attackers to exploit ChatGPT via indirect prompt injection.

NITDA noted that hidden instructions embedded in webpages, comments, or URLs can cause the AI to execute unintended commands during normal browsing, summarization, or search activities.

“By embedding hidden instructions in webpages, comments, or crafted URLs, attackers can cause ChatGPT to execute unintended commands simply through normal browsing, summarization, or search actions,” they stated

The agency further explained that certain flaws let attackers bypass safety controls by hiding malicious content within trusted domains, while others exploit markdown rendering bugs to conceal harmful instructions.

In extreme cases, attackers could poison ChatGPT’s memory, causing the system to retain malicious directives that affect subsequent interactions.

The agency noted that, although OpenAI has addressed some of the issues, large language model continue to have difficulty reliably distinguishing legitimate user input from malicious data.

NITDA cautioned that these vulnerabilities could expose users to various cybersecurity threats, including:

Unauthorized actions carried out by the model
Unintended exposure of user information; Manipulated or misleading responses;
Long-term behavioral changes resulting from memory poisoning.

CERRT.NG warned that users could inadvertently trigger these attacks without any direct interaction, particularly when ChatGPT processes search results or webpages containing concealed malicious instructions.

A few months earlier, the agency had issued a public alert about a critical security flaw affecting embedded SIM cards in smartphones, tablets, wearables, and IoT devices.

The vulnerability was linked to the GSMA TS 48 Generic Test Profile (version 6.0 and earlier), a testing standard used for eUICC chips.

NITDA reported that over 2 billion devices globally were at risk, potentially allowing attackers to install malicious applets, extract cryptographic keys, or even clone eSIM profiles.