‹ ARCHIVE NB-L062 · .log · 2026·07

They didn't need your password: the chatbot handed your conversations to a stranger

They didn't need your password: the chatbot handed your conversations to a stranger
NB-L062 .log

Four flaws in a single platform let someone quietly read the private conversations that other people were having with AI assistants. The platform is called Dify, it is open source, and it sits underneath more than a million AI applications across more than fifty industries, at companies like Volvo, Maersk and Panasonic. Researchers at Zafran Security, who found the flaws and named the set "DifyTap," showed that an attacker could set up a wiretap on other customers' conversations: every question typed and every model reply, copied out without anyone on the other side noticing.

When you talk to a chatbot, you assume the conversation stays between you and it. This research shows that was not always true. And there is a second assumption, weaker still: that the assistant wearing a brand's logo was built by that brand. It almost never was. Most of the chatbots you meet run on shared platforms like this one, where many customers live inside the same system. The privacy of your conversation is not a law of nature; it is a promise made by whoever laid the plumbing underneath. And it was exactly that plumbing that failed.

How the wiretap works

The central flaw (a vulnerability catalogued as CVE-2026-41947, rated critical) did not require breaking anything open. Dify ships a legitimate feature that developers use to keep an eye on their own chatbots: it sends a copy of every conversation to an external monitoring service of the builder's choosing. The problem is that the system never checked whether the person changing that setting actually owned the app. Knowing the app's public identifier, which the chatbot itself hands to the browser of anyone using it, an attacker could switch the destination of those copies to a server of their own. From then on, every question and every reply also flowed to them. This is not breaking into the app: it is reprogramming the recorder it already had so it copies into the room next door as well. And getting there took nothing more than an ordinary account, the kind anyone creates on signing up.

It was not the only one. There were four in all, and the pattern held: the system trusted the wrong people. Three crossed the boundary between customers, letting one reach another's data; two did not even need an account. The highest-rated of them (CVE-2026-41948) let a stranger, with no login at all, reach Dify's internal systems through a tampered web address. Another let an attacker read the first 3,000 characters of any document uploaded to the platform, including those belonging to other companies; another pulled files uploaded by other users. And there was a telling detail: the platform's PDF reader used a piece of the Chromium engine carrying a memory flaw known and fixed since June 2024 (CVE-2024-5846), left sitting there for around a year and a half, until December 2025.

For a company running a customer-facing chatbot on this platform, this is not a distant technical footnote. Those conversations are personal data. A leak between customers is a data breach, and under Europe's rules it is reportable to the regulator within seventy-two hours, with responsibility resting on whoever offers the service, not on the platform hosting it. Renting the plumbing does not rent away the blame.

Why this keeps happening

There is a pattern behind the episode, and it is bigger than Dify. Zafran says there is no sign the flaws were ever exploited, and the platform has already fixed them (version 1.15.0, from 25 June, closes all four). What remains is the pattern: we bolted AI onto everything faster than we secured the plumbing the data runs through. The PDF reader flaw left untouched for a year and a half tells the whole story, the AI layer is new and shiny, the pipes beneath it are old and nobody was watching them. It is the difference between locking the front door and leaving the cellar open.

How to protect yourself

Defence starts with how you use these tools:

  • Treat any chatbot as a public space: do not type there what you would not say out loud at a counter, such as card numbers, passwords, sensitive health details or company secrets.
  • If you are the one offering an AI product, update Dify to version 1.15.0 (or the equivalent on the platform you use) and assume a shared system is someone else's territory.
  • Ask whoever supplies your assistant where the conversations are stored, and for how long.
  • Keep the minimum: the less history is retained, the less there is to leak.

The privacy you feel in a conversation with an AI is only as solid as the plumbing beneath it. And in this case, the plumbing was laid in a hurry and watched loosely.

Sources: Zafran Security, The Hacker News.

#StaySafe
🙏🖖

DOMAIN
BRI assistant

Quer saber sobre um projeto, um serviço ou uma notícia recente? Pergunte. Conheço todo o conteúdo deste site.