**OpenAI says it has updated how ChatGPT and other AI agents retrieve web content after identifying a security risk that could allow private information to be exposed through URLs without users noticing.** The issue centers on how AI systems load links while answering questions. When an [AI agent](https://www.stanventures.com/news/is-chatgpt-operator-ai-agent-the-future-of-web-automation-1864/) opens a webpage, the full web address is sent to the destination server and often logged.  OpenAI [says](https://openai.com/index/ai-agent-link-safety/) attackers can exploit that behavior by embedding sensitive information directly into URLs and tricking an AI into loading them. If successful, the data appears in server logs controlled by the attacker, even if the AI never displays the information in a response. ![OpenAI Tightens ChatGPT Link Access After Data Leak Risk](https://www.stanventures.com/news/wp-content/uploads/2026/01/Inline_Image-300x169.webp) ## How the Risk Works According to OpenAI, a malicious page or prompt can attempt to influence an AI agent into requesting a URL that includes private details such as names, email addresses, or document references. The request may occur in the background, triggered by actions like loading an image or previewing a link. Users may not see any indication that information has been transmitted. The risk increases when combined with prompt injection techniques, where instructions hidden in web content attempt to override the AI’s intended behavior. OpenAI says this means data exposure can occur even when visible responses appear safe. ## Why Trusted Site Filtering Was Not Enough OpenAI considered restricting AI agents to a list of well-known websites, but said that approach leaves gaps. Many legitimate sites rely on redirects, allowing traffic to be routed through trusted domains and sent elsewhere. Strict allow lists also introduce usability problems. Frequent warnings and blocked requests can lead users to ignore safety prompts altogether, weakening protection over time. Instead, OpenAI focused on whether a specific URL exists publicly on the web, independent of any user interaction. ## What OpenAI Changed The company now allows AI agents to automatically load only URLs that have already been observed on the public internet. This is enforced using an independent web index that scans publicly available pages in the same way search engines do. The index operates separately from user conversations and does not rely on personal data. If a URL matches one already seen publicly, the AI can retrieve it automatically. If it does not, the link is treated as unverified and may require user confirmation or be avoided altogether. OpenAI says this reduces the likelihood that URLs contain user-specific or conversation-specific information.   > Right, their own independent web index or another they are leveraging? Hard to say, but very interesting about using an independent web index overall (and for that purpose). [pic.twitter.com/gjvrfjKJat](https://t.co/gjvrfjKJat) > — Glenn Gabe (@glenngabe) [January 29, 2026](https://twitter.com/glenngabe/status/2016863506813894682?ref_src=twsrc%5Etfw)   ## What Users Will Notice When a link cannot be verified, users may see a warning stating that the URL could include information from their conversation and advising caution before proceeding. OpenAI says these prompts are intended to prevent quiet data exposure and give users more control over what is opened on their behalf. ## Limits of the Protection The company emphasized that the change addresses only one class of security risks. It does not guarantee that websites are trustworthy or that browsing is free from deception or manipulation. OpenAI described the update as one layer in a broader security strategy that includes protections against prompt injection, product controls, monitoring, and ongoing testing. The company said it expects attackers to adapt as AI systems become more capable and views this work as ongoing. ## Key Takeaways - OpenAI identified a risk involving data embedded in URLs. - AI agents could leak information without showing it to users. - Trusted website lists were not sufficient to stop the issue. - Automatic link loading is now limited to publicly known URLs. - Users may see warnings before unverified links are opened.