A developer exploited an API flaw to provide free access to GPT-4

Posted on

A developer is trying to reverse engineer APIs to give everyone free access to popular AI models like OpenAI’s GPT-4 – legal ramifications are damned.

The developer’s project, GPT4Free, exploded on GitHub in recent days after links to it from Reddit went viral. At the moment, GPT4Free offers – or at least seems to offer – free and almost unlimited access to GPT-4, as well as GPT-3.5, the predecessor of GPT-4.

GPT-4 normally costs $0.03 per 1,000 “prompt” tokens (about 750 words) and $0.06 per 1,000 “completion” tokens (again about 750 words); tokens represent plain text. GPT-3.5 is slightly cheaper at $0.002 per 1,000 tokens.

So how does GPT4Free bypass OpenAI’s paywall? It doesn’t – not really. Instead, it tricks the OpenAI API into thinking it receives requests from websites with paid OpenAI accounts, such as the search engine You.com, WriteSonic, or Quora’s Poe.

Anyone using GPT4Free collects the tab of sites xtekky has chosen to script around – a clear violation of OpenAI’s terms of service. But xtekky sees no problem with this; they claim that GPT4Free is for “educational purposes” only.

“Legal action may be taken and I will have to comply, but I will still try to continue the project in a different way,” xtekky said.

I’m too much of a programming novice to install GPT4Free locally – it requires setting up a Python environment – but I used xtekky’s website to test the reverse-engineered GPT-4/3.5 APIs. (Note, Chrome issued a security warning when I first navigated to the site. Proceed with caution.) The web version of GPT4Free worked well enough in practice, returning answers that – at least to me – seemed to be from GPT-4 .

GPT-4 exploit

GPT-4 testing with illicit means.

GPT4Free also includes shortcuts for several direct injection attacks, designed to make GPT-3.5 and GPT-4 work in a way that OpenAI did not intend. They worked inconsistently during my testing, but I managed to get GPT-3.5 to say at one point that it “couldn’t care less about the survival of humanity”. Yuck.

GPT-4 exploit

GPT-3.5 with rapid injection.

It’s probably only a matter of time before sites like You.com catch on to GPT4Free and fix their security flaws, forcing xtekky to look for other OpenAI clients to piggyback on. And GPT4Free is perpetually at the mercy of a takedown notice from OpenAI, which would push the repo off GitHub indefinitely.

But new projects similar to GPT4Free are already popping up, suggesting it’s a trend. What drives it?

Well, GPT-4 is currently on restricted access, making it difficult to test drive for the curious. But it’s also something of a black box. Researchers have judged GPT-4 to be one of the least transparent models OpenAI has created to date, with few technical details in the 98-page paper accompanying the release.

OpenAI collaborated with several third-party groups to benchmark and verify GPT-4 prior to launch. But the company hasn’t specified when — or if — it will offer free, unfettered access to others who want to benchmark the GPT-4 base model. (OpenAI offers a grant-aided access program for researchers, but limited to certain countries and areas of study.)

A game of whack-a-mole is expected between projects like GPT4Free and OpenAI, reflecting the wider cybersecurity landscape. Unless the model-serving APIs become dramatically more difficult to exploit, developers will tend to profit – and not lose much.

Leave a Reply

Your email address will not be published. Required fields are marked *