← all news

OpenAI ships a Lockdown Mode against prompt injection exfiltration

Security · · · source (simonwillison.net)

OpenAI quietly shipped a feature called Lockdown Mode, and Simon Willison reads it as a meaningful first move against prompt injection. The mode is designed to stop the last stage of an exfiltration attack by limiting outbound network requests from ChatGPT, so even if a malicious instruction slips in through cached web content or an uploaded file, the model has fewer paths to send your data out. It is rolling out to Free, Go, Plus, and Pro accounts, plus self-serve ChatGPT Business.

The framing Willison uses is the "Lethal Trifecta" he has written about for two years: an LLM that has access to private data, exposure to untrusted content, and a path to exfiltrate. Lockdown Mode goes after the third leg with deterministic, non-AI plumbing rather than asking the model to be careful, which is the right shape of defense for this class of bug. The catch is in OpenAI's own help text: the feature does not stop prompt injections from landing, it only blunts the damage if one does.

Willison also notes the awkward implication. If a separate mode is needed to lock down exfiltration, the default setting was carrying that risk all along, and most ChatGPT users still are.

Why it matters

If you use ChatGPT with browsing, files, or any connector that touches private data, turn Lockdown Mode on now and assume the default is not safe. For anyone building agentic products, this is the design pattern worth copying: cut the exfiltration channel at the network layer instead of trusting the model to refuse.

OpenAIPrompt Injection