They Leaked o1 With a URL Parameter
November 2, 2024: OpenAI ships a search extension, and someone discovers the full o1 model by just changing a number in the address bar.
o1 shipped shortly after. The URL parameter leak was real. The security perimeter being a number in a URL — months of alignment work undone by a teenager's technique — became one of the funnier stories of 2024.
The ChatGPT Search extension dropped today — OpenAI, finally, formally, going after Google in the browser, where the fight actually happens.
Fine. Whatever. That's the expected part.
The unexpected part is that the full o1 release is apparently imminent, which we know because someone just changed the model parameter in a URL and walked in. That's the security perimeter. A number. In a URL. And now every corner of ML Twitter has seen the specs: 200k context window, image support, compute-time inference, the trained chain-of-thought they've been sitting on.
Not a press release. Not a blog post. A URL.
There's something almost elegant about it — months of training, alignment work, infrastructure, and the thing that finally reveals it is the same technique a teenager uses to see if an admin panel is exposed. The model is presumably very smart. The URL scheme, less so.
The 200k context and images are the things that matter here. o1 has been, until now, a text-only thinking model with a context window that felt deliberately constrained — like they wanted to see how people used it before handing over the real thing. This appears to be the real thing.
We'll find out when they actually ship it. Or when someone changes another URL parameter and just tells us.
Counterpoints
Push back, extend the argument, or sharpen it. New counterpoints go through review before they show up here.
No approved counterpoints yet.