Skip to main content
CybersecurityAI & Machine Learning

OpenAI Assistants API Exclusive: Critical SesameOp Backdoor

OpenAI Assistants API Exclusive: Critical SesameOp Backdoor

What happens when the very tools designed to help us — conversational assistants that fetch data and automate tasks — become the tunnel through which attackers whisper commands? That dilemma now sits at the center of a new security alarm: researchers have discovered a backdoor, dubbed SesameOp, that uses OpenAI’s Assistants API as a stealthy command-and-control channel rather than relying on traditional network techniques.

SesameOp is notable because it repurposes a productivity surface into a covert communications layer. Instead of embedding malicious code in an executable or using bespoke command-and-control servers, the backdoor sends and receives instructions through an API that many organizations trust and routinely allow to interact with internal systems. In short, an assistant becomes both courier and controller.

To understand the risk, it helps to step back. The last two years have seen a proliferation of AI assistants and agent frameworks that connect models to enterprise data, automation tools and external plugins. That connectivity is a feature — it lets assistants answer context-rich questions and carry out multi-step workflows — but it is also an expanded attack surface. Security researchers and vendors have already flagged classes of attacks such as prompt injection, where untrusted content is crafted to alter an assistant’s behavior and leak data. Recent industry responses emphasize governance, access controls and aggressive patching to reduce those vectors .

What makes SesameOp different is its communication mechanism. Rather than broadcasting to known malicious domains or using malformed packets that intrusion detection systems expect, it piggybacks on Assistants API calls: innocuous-looking requests and responses that can ferry encoded instructions, status updates and exfiltrated material. For defenders this is a thorny problem — network telemetry and conventional endpoint signals may not flag traffic that appears to be valid API usage, and audit logs can be sparse or permissive for vendor services that are broadly trusted.

Security teams have seen echoes of this class of abuse in recent incidents. Microsoft and other vendors have had to respond quickly to show-stopping prompt-handling issues and indirect prompt injection, closing specific vectors and urging organizations to treat AI assistants as services with sensitive access that require governance and rigorous logging . Likewise, incidents that forced CRM vendors to patch prompt‑related leaks underscore how an assistant can be manipulated into returning sensitive records when untrusted content is treated as instruction rather than data .

Why this matters

  • Stealth: Assistants API traffic is often considered legitimate and may be whitelisted or monitored in a permissive way, making malicious messages harder to spot.
  • Permission scope: Assistants are typically given broad, convenience-driven privileges (read access to documents, ability to trigger scripts, connectors to SaaS systems), so a compromised assistant can reach high-value targets.
  • Attribution and detection: Natural-language commands flowing through benign-looking API calls complicate forensic timelines and raise false-negative rates for automated detectors.
  • Policy and compliance: Data-protection frameworks assume controllable data paths; opaque assistant behavior and indirect exfiltration challenge breach-detection and notification norms.

Different stakeholders see the problem through different lenses. Technologists worry about engineering patterns that interpolate untrusted content into system prompts — a core mistake that enables indirect prompt injection and similar exploits. Practical mitigations from this angle include strict separation of system prompts from user content, deny-by-default data access for assistants, and adversarial testing during red-team exercises to discover weak points before adversaries do .

Policymakers and compliance officers face a related set of headaches. If an assistant can be coaxed into returning protected data because its instruction-handling is lax, organizations will struggle to demonstrate reasonable controls under regulations like GDPR or sector-specific standards. That argues for clearer guidance on logging assistant interactions, minimum security baselines for AI services, and perhaps vendor obligations for transparent telemetry.

End users and business leaders must balance utility and risk. AI assistants deliver measurable productivity gains; heavy-handed restrictions can blunt value. Nevertheless, organizations should treat assistants as privileged services: enforce conditional access, record and retain queries and outputs for auditing, and limit which assets an assistant can reach. These are not theoretical recommendations — vendors have already been urged to adopt “fail-closed” default behaviors and to avoid templates that implicitly trust concatenated inputs .

Adversaries, meanwhile, view assistants as an attractive infrastructure for automation. Indirect prompt injection and encoded messaging inside otherwise normal content are low-cost, stealthy techniques. As defenders close one vector, attackers pivot: targeting model fine-tuning, third‑party plugins, or downstream services that render content for the assistant. The dynamic is familiar — an arms race where convenience and automation repeatedly open new windows of opportunity for abuse .

So what can defenders do now?

  • Limit assistant privileges with strict, deny-by-default policies and narrow connector scopes.
  • Enforce robust authentication and conditional access for any accounts that can invoke assistants or connect them to internal systems.
  • Maintain comprehensive logging of assistant queries, retrievals and outputs, and instrument anomaly detection tuned to unusual patterns of API calls or high-volume data access.
  • Adopt model-aware engineering practices: avoid interpolating raw user content into system prompts and separate untrusted inputs from instruction templates.
  • Conduct regular adversarial testing and red-team exercises that include prompt-injection and API-abuse scenarios.

Industry response matters. Rapid vendor patches and changes to instruction‑handling — as seen in past prompt‑injection mitigations — are welcome, but they are not a panacea. Fixing a single vector leaves many others; defenders must combine software patches with governance, awareness and resilient operational practices. That insight is reinforced by recent vendor advisories and high‑profile fixes that stress the need for forensic logging and stricter default behaviors .

SesameOp is a reminder that as AI assistants become more capable and more connected, attackers will look for higher-level protocols to abuse. The problem is not simply bugs in code; it is the set of assumptions designers and operators make about what inputs are “safe” and which paths are auditable. Will we treat assistants as powerful utility services that demand the same rigor reserved for identity providers, databases and network controllers — or will we continue to assume that conversational APIs are harmless conduits?

Ultimately, the choice will shape whether convenience becomes a new vector for compromise or a managed capability that augments secure operations. The stakes are tangible: when the messengers can be turned into covert commanders, defenders must decide whether to harden the doors, change the locks, or stop opening them at all. For now, vigilance, governance and engineering discipline are the best defenses we have.

Source: https://www.infosecurity-magazine.com/news/openai-assistants-api-sesameop/