The latest AI models are not just text-generating chatbots—they can connect to your data for personalized answers. OpenAI’s ChatGPT can integrate with your Gmail, inspect your GitHub code, or check your Microsoft calendar appointments. However, these connections can be exploited—a single “poisoned” document is all it takes.
Security researchers Michael Bargury and Tamir Ishay Sharbat have discovered a vulnerability in OpenAI’s Connectors revealed at the Black Hat conference in Las Vegas. The flaw allowed sensitive information to be extracted from a Google Drive account using an indirect prompt injection attack. Bargury demonstrated the attack, called AgentFlayer, showing how developer secrets, like API keys, were extracted from a demo account.
This vulnerability illustrates how connecting AI models to external systems can increase the risk of hacking and introduce vulnerabilities. Bargury explains that no user action is required to compromise data—just sharing the document via email is enough, making it a zero-click attack.
OpenAI has not commented on the vulnerability. Introduced as a beta feature, Connectors for ChatGPT allow integration with at least 17 services, enabling users to pull data into the chat. OpenAI has been informed of these findings and has implemented mitigations to counteract this data extraction method. The attack is limited, preventing full document removal.
Andy Wen, senior director of security product management at Google Workspace, stresses the importance of robust protections against prompt injection attacks, highlighting Google’s enhanced AI security measures.