OpenAI’s new Lockdown Mode disables web‑browsing, image fetching, agent tools and file downloads for personal and Business accounts, aiming to cut off the most common pathways for prompt‑injection‑based data leakage while preserving core chat functionality.
)
OpenAI announced the gradual rollout of Lockdown Mode for ChatGPT users across Free, Go, Plus, Pro and self‑serve Business plans. The setting is an optional hardening layer that disables a handful of high‑risk capabilities—live web browsing, image support, the Deep Research Agent, Canvas networking, and file downloads—in order to block the most common routes attackers use to exfiltrate sensitive data after a successful prompt‑injection attack.
Why Lockdown Mode matters
Prompt injection remains a "frontier" problem for large language models. An attacker can embed malicious instructions in a user‑supplied prompt or uploaded file, coaxing the model to issue outbound network calls that leak confidential information. Recent research from the University of Toronto’s Secure AI Lab demonstrated that a crafted prompt could cause ChatGPT to silently fetch a remote URL and embed a snippet of a corporate document in the response, effectively turning the model into a data‑exfiltration proxy.
Dr. Maya Patel, senior researcher at the Secure AI Lab, told us, "The biggest danger isn’t the model hallucinating—it’s the model being tricked into sending data to an attacker‑controlled server. By cutting off outbound requests, you remove the most direct exfiltration channel."
OpenAI’s response is to sandbox those outbound pathways. The company notes that the feature does not eliminate prompt‑injection entirely; it merely removes the most exploitable side‑effects.
What actually gets turned off?
| Disabled feature | What it does today | What changes in Lockdown Mode |
|---|---|---|
| Live web browsing | Retrieves fresh content from the internet on demand. | Only cached knowledge from the model’s training data is available; no new network calls are made. |
| Image support | Generates or fetches images, and can analyze user‑uploaded pictures. | Images can still be displayed if they are part of the model’s internal knowledge, but the model cannot request external images or process uploaded pictures for analysis. |
| Deep Research Agent | Executes multi‑step web‑search workflows, often chaining several URLs. | Agent mode is disabled; the model can still answer questions from its internal knowledge base, but cannot orchestrate external searches. |
| Canvas networking | Allows user‑approved code snippets generated by the model to make HTTP requests. | Canvas code execution is sandboxed; any network call is blocked. |
| File downloads | Lets users download generated files (CSV, PDFs, code archives) for further analysis. | Download links are hidden; the model can still generate the file content inline, but cannot push a binary to the user’s device. |
These restrictions are applied per‑session. Users can toggle Lockdown Mode on or off from the settings pane, and the UI will clearly indicate which capabilities are unavailable.
How to enable and monitor Lockdown Mode
- Navigate to Settings → Security in the ChatGPT web or desktop client.
- Flip the Lockdown Mode toggle. A confirmation dialog explains the trade‑offs.
- Once enabled, the interface displays a lock icon beside any disabled tool.
- Use the new Session Management page to review active sessions, device details, and sign‑out options—useful if you suspect an account compromise.
OpenAI also warns that Lockdown Mode cannot be active simultaneously with Developer Mode; enabling one automatically disables the other.
Practical takeaways for security teams
- Adopt Lockdown Mode for high‑risk users – any employee handling PII, PHI, or proprietary code should have the setting forced via the Business admin console.
- Combine with data loss prevention (DLP) – while outbound network calls are blocked, malicious prompts could still manipulate the model’s output. DLP rules that scan generated text for sensitive patterns (e.g., credit‑card numbers, API keys) add an extra safety net.
- Educate users on prompt hygiene – remind staff not to paste raw confidential documents into ChatGPT, even when Lockdown Mode is active. The model can still ingest uploaded files and may leak data through internal reasoning.
- Audit API usage – for organizations that call the ChatGPT API, enforce the
response_formatparameter to restrict image generation and disable thetoolsfield that would otherwise invoke external plugins.
Limitations and future work
OpenAI is clear that Lockdown Mode does not guarantee zero exfiltration. Risks remain through:
- Enabled third‑party Apps that retain network access.
- Novel prompt‑injection techniques that exploit internal model reasoning without needing outbound calls.
- Combinations of allowed features that unintentionally create a covert channel (e.g., encoding data in generated text that is later scraped by a malicious downstream system).
James Liu, Principal Engineer at SecureStack, comments, "Lockdown Mode is a solid first line of defense, but it should be part of a layered strategy that includes strict API key management, output monitoring, and user training."
OpenAI says the feature will continue to evolve as new attack vectors surface. They plan to release telemetry (opt‑in) that shows how often Lockdown Mode blocks a request, giving enterprises visibility into attempted exfiltration attempts.
Bottom line
Lockdown Mode offers a pragmatic compromise: it preserves the core conversational experience of ChatGPT while removing the most exploitable outbound pathways that attackers rely on for data theft. Security teams should enable it for any user dealing with sensitive information, pair it with DLP and robust API controls, and stay vigilant for the next wave of prompt‑injection tricks.
For more details, see OpenAI’s official announcement on the ChatGPT Help Center and the technical brief on mitigating prompt‑injection attacks from the Secure AI Lab.
Comments
Please log in or register to join the discussion