OpenAI Introduces Lockdown Mode to Combat Data Exfiltration via Prompt Injection
The new optional security feature disables live browsing and autonomous agent capabilities to reduce the risk of malicious instructions hidden in web content.
Primary source: TechCrunch AI. Full source links and update notes are below.
Fast summary
Start here
- Lockdown Mode disables live web browsing, image retrieval from the web, and autonomous agent functionality.
- The feature is designed for organizations and individuals handling sensitive data susceptible to prompt injection risks.
- OpenAI warned that while the mode reduces risk, users remain vulnerable via uploaded files and cached web content.
What happened
OpenAI announced the launch of Lockdown Mode, a specialized security setting for ChatGPT aimed at preventing prompt injection attacks. These attacks occur when malicious instructions are embedded in webpages or other external sources, which the AI then follows instead of the user's original prompts. The feature is currently rolling out to self-serve ChatGPT Business accounts and eligible personal accounts.
What's new in this update
Lockdown Mode significantly restricts the chatbot's interactive capabilities to minimize its attack surface. When enabled, the feature disables live web browsing, the retrieval and display of images from the web, 'deep research' capabilities, and agent mode. While live browsing is deactivated, the AI can still access cached web content, though OpenAI notes this remains a potential vector for injection.
Key details
The setting is not intended for the general user base but is specifically tailored for entities handling highly sensitive information. Users in Lockdown Mode can still generate new images but cannot pull existing ones from external URLs. OpenAI explicitly stated that the mode is a risk-reduction tool rather than a total solution, as uploaded files can still contain malicious prompts that influence the model's accuracy or behavior.
Background and context
Prompt injection has emerged as a primary security concern for LLMs (Large Language Models), particularly as developers move toward 'agentic' AI that can browse the web and execute tasks independently. By allowing a bot to read external websites, developers inadvertently create a path for third-party sites to 'inject' commands that could trick the bot into revealing session history or proprietary data to an external server.
What to watch next
As OpenAI expands access to ChatGPT Business users, the focus will likely shift to whether similar 'hardened' modes will become standard for enterprise-level AI integrations. Security researchers are expected to test the limits of Lockdown Mode to see if indirect injections through cached data or document analysis remains a viable pathway for data exfiltration.
Why it matters
Prompt injections represent a critical vulnerability for generative AI agents, as they allow external websites to hijack chatbot instructions and potentially exfiltrate private user data.
Read next
Follow this story through the topic hub, more ai coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology