I’m not sure I under exactly what this is? Does it mean chatGPT has an exposed endpoint and we can ping it?

So it would seem. This doesn’t surprise me. There isn’t a way (that I’m aware of) for a web app driven by say a RESTful API to guarantee the API is only used via a web browser rather than hit via Postman, cURL or some side project someone built in their free time.