The National Information Technology Development Agency (NITDA) has alerted Nigerians to potential cybersecurity breaches from new ChatGPT vulnerabilities that could expose users to data leakage attacks.

NITDA yesterday released the notice through its Computer Emergency Readiness and Response Team (CERRT.NG).

The warning came on the heels of rising concerns about Artificial Intelligence (AI)-powered tools interacting with unsafe web content, as well as the growing dependence on ChatGPT for business, research, and public-sector tasks.

According to the advisory, researchers discovered seven vulnerabilities affecting GPT-4o and GPT-5 models that allow attackers to manipulate ChatGPT through indirect prompt injection.

The agency explained that hidden instructions placed inside webpages, comments or Uniform Resource Locators (URLs) can trigger unintended commands during regular browsing, summarisation or search actions.

“By embedding hidden instructions in webpages, comments or crafted URLs, attackers can cause ChatGPT to execute unintended commands simply through normal browsing, summarisation or search actions,” it stated

It added that some flaws allow the bypassing of safety controls by masking malicious content behind trusted domains. Other weaknesses take advantage of markdown rendering bugs, enabling hidden instructions to pass undetected.

In severe cases, NITDA said, attackers can poison ChatGPT’s memory, forcing the system to retain malicious instructions that influence future conversations

The Information and Communication Technology (ICT) development agency stated that while OpenAI had addressed certain aspects of the issue, Large Language Models (LLMs) still struggle to reliably distinguish genuine user intent from malicious data.

NITDA warned that these vulnerabilities could lead to a range of cybersecurity threats, including: unauthorised actions carried out by the model, unintended exposure of user information, manipulated or misleading outputs, and long-term behavioural changes caused by memory poisoning.

CERRT.NG added that users may unknowingly trigger these attacks without clicking or interacting with anything, especially when ChatGPT processes search results or webpages that contain hidden, malicious instructions.

The agency advised Nigerians, businesses and government institutions to adopt precautionary steps to stay safe. These include limiting or disabling the browsing and summarisation of untrusted websites within enterprise environments and enabling features like browsing or memory only when necessary.

It also recommended regular updates to deployed GPT-4o and GPT-5 models to ensure known vulnerabilities are patched.