TL;DR
ChatGPT’s new Lockdown Mode disables live browsing, agent mode, and deep research to block data exfiltration via prompt injection. Available on all plans.
OpenAI has begun rolling out Lockdown Mode to ChatGPT, a new security setting designed to block attackers from stealing data through prompt injection attacks. The feature disables live web browsing, agent mode, deep research, image retrieval, Canvas networking, and file downloads. It is available to logged-in users across Free, Go, Plus, Pro, and self-serve ChatGPT Business plans.
Prompt injection remains what OpenAI calls a “frontier” problem affecting all large language models. The attack works by hiding malicious instructions in content the model processes, such as a webpage or uploaded file. If the model follows those instructions, it can be tricked into sending sensitive data to an attacker-controlled server.
Lockdown Mode does not stop injections from happening. A malicious payload embedded in a cached webpage or uploaded PDF can still influence the model’s behaviour. What it does is shut down the outbound pathways an attacker would use to exfiltrate the data. No live browsing means no network requests to external servers. No image retrieval means no pixel-based data channels.
“Lockdown Mode is designed to substantially reduce the risk of prompt injection-based data exfiltration, but it does not guarantee that data exfiltration cannot happen,” OpenAI said. “Risk may remain through enabled Apps, unforeseen combinations of capabilities, or newly discovered techniques.”
The trade-off is significant. With Lockdown Mode on, ChatGPT loses most of what makes its agent and research features useful. Live browsing drops to cached content only. Agent mode is gone entirely. Deep research is disabled. It is, as OpenAI acknowledges, “not intended for everyone.”
The feature arrives as prompt injection attacks on AI agents have become a growing concern. Security researchers have demonstrated hijacks against agents from Anthropic, Google, and Microsoft via their GitHub Actions integrations. All three paid bug bounties but published no public advisories. The underlying weakness is fundamental: LLMs cannot reliably separate data from instructions.
Lockdown Mode and Developer Mode cannot be used simultaneously. Turning one on disables the other. OpenAI also launched a separate session management feature that lets users review active ChatGPT sessions and log out of individual devices if they spot unauthorised activity.
The feature is a pragmatic concession. OpenAI is not claiming to have solved prompt injection. It is accepting that the problem persists and offering users a way to reduce their exposure by giving up functionality. For anyone handling sensitive data in ChatGPT, that trade-off is worth making. For everyone else, the expanding agent ecosystem and its growing attack surface mean the risk is only increasing.
