Build a chatGPT website with open source software? Beware of others spending your money!

If you use the chatGPT-web software by default, it will be scanned by people accidentally, and it will be used for free.

Written by: Wei Jianfan

Since OpenAI provided the GPT API, many students used an open source software to build their own chatGPT website.

This open source software is chatGPT-web, the URL is:

After building, the interface will probably look like this:

However, if you use this software by default, if you are not careful (meaning that you do not know how to set it), it will be scanned and used by others for free.

Many website maintainers have been recruited one after another. They found that the chatGPT they set up has not been used much by themselves, but has been heavily used by others, and the daily API fee has reached several dollars.

The reason is that his website was discovered and used by many people for free.

How do other people discover this site?

There are some web asset search engines on the Internet (some people call them “cyberspace mapping”). By specifying the title information, domain name information, IP information, port and protocol information, header information, html text information, banner information, City information, certificate information, etc., can be used to search information assets on the Internet very conveniently, such as searching for web pages with specific titles, searching for the deployment of a certain software on the Internet, and scanning the entire network for vulnerabilities.

The best known of these engines are FOFA and shodan.

Using these search engines, you can find almost all assets related to the Internet, because these search engines are searching for various servers, routers, smart devices, cameras, printers, etc. on the Internet almost all the time, so that users When you search, you can quickly return search results.

What is really scary is that many websites or devices on the Internet do not have security protection measures, so others can easily enter after searching.

chatGPT-web is an open source software, the default Title of the front page is: ChatGPT Web

Then in the asset search engine, search for the website whose title is ChatGPT Web, and you can find the website that uses this open source project.

It can be seen that more than 20,000 such websites were searched in just over 1 second.

If these websites do not have password protection (the default is not, unless you set it), the scanner can directly use chatGPT for free.

How to prevent

In fact, this problem is explained in the README of chatGPT-web, but many users put all their energy on how to make the website work, without carefully reading these security instructions.

If you really use it, there is still time to change it. After all, you can lose less and lose less.

1. In the front-end index.html file, change the title to something else, and the word ChatGPT must not be included.

2. In the configuration file, set AUTH_SECRET_KEY to add an access password to the web page.

If you build the backend yourself, set AUTH_SECRET_KEY in the .env file in the service directory.

If you use Docker Compose, set it in the docker-compose.yml file in the docker-compose directory.

After adding password verification, the web page will become like this:

This will be much better, at least it can block a large number of ordinary attempters.

Conclusion

Therefore, website maintainers must have the most basic security awareness. You think that others cannot find you, but in fact, others have already discovered you and used you.

Software developers should consider how to make the default installation of the software safe, such as allowing the program to automatically generate different Titles, automatically generate default passwords, etc., instead of waiting for the user to set it.

You can say, I am open source, I have no such obligation, whether you use it or not is your own business, but if you do well, your reputation will be very good.

Because users are often fool-like installations, they don’t bother to change anything.

There may be other problems on the website, depending on whether the attacker has intentions, so I won’t go into details here. If you are interested, you can take a look at this article: “Risk Analysis of ChatGPT Using Domestic Private Deployment”.