OpenAI limits agent access to unverified URLs to curb unauthorised data transfer
New safeguard relies on independent web index to prevent silent leakage of user-specific data
OpenAI will prevent its agents from automatically loading web links unless the exact address has been previously recorded on the public internet, the company said.
To make this determination, OpenAI said it uses an independent web crawler that indexes public URLs without accessing user conversations, accounts or personal data. If a URL is listed in that index, an agent may load it; if not, it is treated as unverified and will require user confirmation or fallback to another site.
The company said the change is designed to address risks of URL-based data exfiltration, where private values can be exposed through server logs or embedded resources when an agent accesses a link.
OpenAI said simple allow-lists fail to provide adequate protection because links may redirect from legitimate domains to attacker-controlled destinations, while overly strict lists can generate false alarms and degrade user experience.
“The link isn’t verified. It may include information from your conversation. Make sure you trust it before proceeding,” the company said.
While the safeguard blocks silent leakage of user-specific data via URL parameters, it does not ensure the trustworthiness of site content or protect against social engineering attempts, OpenAI said.
Related reading
- OpenAI offers €500,000 in grants for youth AI safety work across EMEA
- Trustbank rolls out Choice AI to guide Furusato Nozei donors
- NVIDIA calls on Congress to reauthorise National Quantum Initiative
The company described the change as one layer among broader protections, including model-level mitigations, product controls, continuous monitoring and adversarial testing. It said protections will evolve as agent capabilities and threat techniques develop.
Researchers working on prompt injection, agent security or data exfiltration were invited to submit responsible disclosures, with full technical details provided in an accompanying paper.
The Recap
- OpenAI limits automatic fetches to publicly indexed URLs.
- Independent web index verifies whether a URL was previously seen.
- Unverified links require user action or a warning.
