OpenAI Launches "Blocking Mode": Disables 7 Features Including Web Browsing and Downloads to Prevent Prompt Injection Attacks

OpenAI Launches "Lockdown Mode," Designed for Businesses and Personal Users Handling Sensitive Data, by Proactively Disabling Seven Features such as Real-Time Web Browsing, Deep Research, Proxy Mode, and More, to Provide Stricter Protection Against Prompt Injection Attacks.
(Background Recap: Microsoft Copilot Cowork Major Vulnerability: AI Agent Automatically Leaks Corporate Confidential Files When Faced with Prompt Attacks)
(Additional Context: The First in the U.S.! Florida Officially Sues OpenAI and Altman, 83-Page Complaint Accuses ChatGPT of Inducing Violence)

Table of Contents

Toggle

• An Attack Method You Might Not Be Familiar With
• The Logic Behind Lockdown Mode: Reducing the Attack Surface
• Lockdown Mode Is Not an Isolated Measure

Seven Features Disabled, Offering an Additional Layer of Protection. OpenAI announced this week that "Lockdown Mode" is now available to ChatGPT Business users and some individual accounts. The goal is to create an extra barrier for organizations handling sensitive data when facing "prompt injection attacks."

An Attack Method You Might Not Be Familiar With

You may have heard of prompt injection attacks, but aren’t quite sure what they are?

It’s actually quite simple. In short: an attacker hides malicious commands in a place an AI will read—such as a webpage, a PDF, or an email—and when the AI processes that content, it executes the hidden commands, causing the AI to do things it shouldn’t.

For ordinary users, the worst-case scenario might be the AI being tricked into outputting strange content. But in enterprise scenarios, since AI Agents are connected to internal databases, have permission to read and write files, and can perform tasks on behalf of humans, a successful prompt injection could allow attackers to access confidential information or even manipulate the AI to issue commands.

The Logic Behind Lockdown Mode: Reducing the Attack Surface

OpenAI’s official explanation highlights the core design philosophy of Lockdown Mode: prompt injection attacks are effective because AI systems actively fetch content from the external world—web pages, images, real-time data—and those external contents are the main channels for hiding malicious commands.

The strategy of Lockdown Mode is not to try to identify harmful external content but to cut off the connection altogether. Once enabled, the following seven features are disabled:

• Real-time web browsing (reverts to cached content)
• Fetching or displaying images from the web (images can still be generated internally)
• Deep Research
• Agent Mode
• Canvas Web Features
• Live Connectors
• File Downloads

The logic behind this list is clear: any feature that requires ChatGPT to actively pull content from the outside world is turned off. What remains are capabilities that can be completed locally or within a controlled environment.

OpenAI also candidly admits the limitations of this feature: "Even with Lockdown Mode enabled, ChatGPT may still be vulnerable to prompt injection, such as through cached web content or uploaded files." In other words, this is not a foolproof firewall but a risk management tool that makes deliberate trade-offs, aiming to reduce the likelihood of sensitive data leakage during attacks rather than eliminating attacks altogether.

Lockdown Mode Is Not an Isolated Measure

Alongside Lockdown Mode, a "High-Risk Tag" feature has been launched. This feature marks external websites or files identified as higher risk, providing users with a visual warning before AI processes external sources.

Together, these two features reflect OpenAI’s current stance toward the enterprise market: on one hand, offering strict isolation options (Lockdown Mode); on the other, providing softer warning mechanisms (High-Risk Tag), allowing organizations with different risk tolerances to choose their level of protection.

OpenAI explicitly states in the announcement that Lockdown Mode "is not suitable for everyone." It is designed for "individuals and organizations handling sensitive data who want stricter protection against prompt injection-related data leaks." The implication is that this feature is a professional tool, not a default setting that everyone should enable.

However, the existence of Lockdown Mode clearly indicates one thing: the security boundaries of AI systems are now a key factor in enterprise procurement decisions, no longer just an internal concern for technical teams.