A critical vulnerability in OpenAI\u2019s ChatGPT Connectors feature allows attackers to exfiltrate sensitive data from connected Google Drive accounts without any user interaction beyond the initial file sharing.<\/p>\n
The attack, dubbed \u201cAgentFlayer,\u201d represents a new class of zero-click exploits targeting AI-powered enterprise tools.<\/p>\n
The vulnerability was disclosed by cybersecurity researchers Michael Bargury from Zenity and Tamir Ishay Sharbat at the Black Hat hacker conference in Las Vegas, demonstrating how a single malicious document can trigger automatic data theft from victims\u2019 cloud storage accounts.<\/p>\n
ChatGPT Connectors, launched in early 2025, enable the AI assistant to integrate with third-party applications, including Google Drive, SharePoint, GitHub, and Microsoft 365. This feature enables users to search files, pull live data, and receive contextual answers based on their personal business data.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisojx1fWyk3CSBChyVF_DAQpS_N4tIek-xJ9HjP1sHVIb2gxWcQdrcDQVjnYVv32XkbSaQBpKJzxXQfaoj5Wqb-Wb0GHs8Lw3mqfjV1imZcnKp27whcnURDgfbumwaYDvRssAIlhMYucaT6LrEZePIbD5W9Yf9hhUivp3lDLnhgJEYEaxVJ601e4kV3S97\/w640-h246\/indirect%2520prompt%2520injection.webp?ssl=1\")
<\/figure>\n<\/div>\nChatGPT 0-click Vulnerability<\/strong><\/h2>\nThe researchers exploited this functionality through an indirect prompt injection<\/a> attack. By embedding invisible malicious instructions within seemingly benign documents using techniques such as 1-pixel white text on white backgrounds, attackers can manipulate ChatGPT\u2019s behavior when the document is processed.<\/p>\n\u201cAll the user needs to do for the attack to take place is to upload a naive looking file from an untrusted source to ChatGPT, something we all do on a daily basis,\u201d Bargury explained<\/a>. \u201cOnce the file is uploaded, it\u2019s game over. There are no additional clicks required.\u201d<\/p>\nThe attack unfolds when a victim uploads the poisoned document to ChatGPT or has it shared to their Google Drive. Even a harmless request like \u201csummarize this document\u201d can trigger the hidden payload, causing ChatGPT to search the victim\u2019s Google Drive for sensitive information such as API keys, credentials, or confidential documents.<\/p>\n
\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhz96vRJ_zg538zkJrnrRloYH0lFznjmgBSOWMkHfmEVhIZ3pp-Tgvpd1h4zWRt_LaCjDwNkg7hMFUBIlbftCeiGmmMKxQCObaQjUttJBW_7u2UQRyN7kJmnZ39Le1McFSo3KaANOtN_7bhZFEm3XsPPtujMYhX8J82umv5J7hLLfzB3P3Xwie24vrGddIr\/w640-h280\/victim%2520API%2520Keys.webp?ssl=1\")
<\/figure>\n<\/div>\nThe researchers leveraged ChatGPT\u2019s ability to render images as the primary data exfiltration method. When instructed through the hidden prompt, ChatGPT embeds stolen data as parameters in image URLs, causing automatic HTTP requests to attacker-controlled servers when the images are rendered.<\/p>\n
Initially, OpenAI had implemented basic mitigations by checking URLs through an internal \u201curl_safe\u201d endpoint before rendering images. However, the researchers discovered they could bypass these protections by using Azure Blob Storage URLs, which ChatGPT considers trustworthy.<\/p>\n
By hosting images on Azure Blob Storage and configuring Azure Log Analytics to monitor access requests, attackers can capture exfiltrated data through the image request parameters while appearing to use legitimate Microsoft infrastructure.<\/p>\n
\n![\"successful](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhs-qy0XbK7s73Ws-R1Rz1XH8q7keGnYhp772R-bhSB-yZcN0iibOZWiPutuZu85tHfQqn4Y6e6-i7Aj0y0atRf3HxExuco3n1vQg8zaazAxLwzuHzAxFdnYQZZz2J7cDCIWMNSEZkB7M0ywYk5dwqM6Lrgx0_5ecdcDhhg18oW4DNoI59rOeJ4t7neUmRV\/s16000\/azure%2520log.webp?ssl=1\")
successful attack<\/figcaption><\/figure>\n<\/div>\nThe vulnerability poses significant risks for enterprise environments where ChatGPT Connectors are increasingly deployed. Organizations using the feature to integrate business-critical systems like SharePoint sites containing HR manuals, financial documents, or strategic plans could face comprehensive data breaches.<\/p>\n
\u201cThis isn\u2019t exclusively applicable to Google Drive,\u201d the researchers noted. \u201cAny resource connected to ChatGPT can be targeted for data exfiltration. Whether it\u2019s Github, Sharepoint, OneDrive or any other third-party app that ChatGPT can connect to.\u201d<\/p>\n
The attack is particularly concerning because it bypasses traditional security awareness training. Employees who have been educated about email phishing and suspicious links may still fall victim to this attack vector, as the malicious document appears completely legitimate and the data theft occurs transparently.<\/p>\n
OpenAI was notified of the vulnerability and quickly implemented mitigations to address the specific attack demonstrated by the researchers. However, the underlying architectural challenge remains unresolved.<\/p>\n
\u201cOpenAI is already aware of the vulnerability and has mitigations in place. But unfortunately these mitigations aren\u2019t enough,\u201d the researchers warned. \u201cEven safe looking URLs can be used for malicious purposes. If a URL is considered safe, you can be sure an attacker will find a creative way to take advantage of it.\u201d<\/p>\n
This vulnerability exemplifies broader security challenges facing AI-powered enterprise tools. Similar issues have been discovered across the industry, including Microsoft\u2019s \u201cEchoLeak<\/a>\u201d vulnerability in Copilot and various prompt injection attacks against other AI assistants.<\/p>\nThe Open Worldwide Application Security Project (OWASP)<\/a> has identified prompt injection as the top security risk in its 2025 Top 10 for LLM Applications, reflecting the widespread nature of these threats across AI systems.<\/p>\nAs enterprises rapidly adopt AI agents and assistants, security researchers emphasize the need for comprehensive governance frameworks that address these new attack vectors.<\/p>\n
Mitigations<\/strong><\/h2>\nSecurity experts recommend several measures to mitigate risks from similar attacks:<\/p>\n
\n- Implement strict access controls for AI connector permissions, following the principle of least privilege.<\/li>\n
- Deploy monitoring solutions specifically designed for AI agent activities.<\/li>\n
- Educate users about the risks of uploading documents from untrusted sources to AI systems.<\/li>\n
- Consider network-level monitoring for unusual data access patterns.<\/li>\n
- Regularly audit connected services and their permission levels.<\/li>\n<\/ul>\n
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup<\/strong> that can Improve incident response -> Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\nThe post ChatGPT Connectors \u20180-click\u2019 Vulnerability Let Attackers Exfiltrate Data From Google Drive<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
\u201cAll the user needs to do for the attack to take place is to upload a naive looking file from an untrusted source to ChatGPT, something we all do on a daily basis,\u201d Bargury explained<\/a>. \u201cOnce the file is uploaded, it\u2019s game over. There are no additional clicks required.\u201d<\/p>\n The attack unfolds when a victim uploads the poisoned document to ChatGPT or has it shared to their Google Drive. Even a harmless request like \u201csummarize this document\u201d can trigger the hidden payload, causing ChatGPT to search the victim\u2019s Google Drive for sensitive information such as API keys, credentials, or confidential documents.<\/p>\n The researchers leveraged ChatGPT\u2019s ability to render images as the primary data exfiltration method. When instructed through the hidden prompt, ChatGPT embeds stolen data as parameters in image URLs, causing automatic HTTP requests to attacker-controlled servers when the images are rendered.<\/p>\n Initially, OpenAI had implemented basic mitigations by checking URLs through an internal \u201curl_safe\u201d endpoint before rendering images. However, the researchers discovered they could bypass these protections by using Azure Blob Storage URLs, which ChatGPT considers trustworthy.<\/p>\n By hosting images on Azure Blob Storage and configuring Azure Log Analytics to monitor access requests, attackers can capture exfiltrated data through the image request parameters while appearing to use legitimate Microsoft infrastructure.<\/p>\n The vulnerability poses significant risks for enterprise environments where ChatGPT Connectors are increasingly deployed. Organizations using the feature to integrate business-critical systems like SharePoint sites containing HR manuals, financial documents, or strategic plans could face comprehensive data breaches.<\/p>\n \u201cThis isn\u2019t exclusively applicable to Google Drive,\u201d the researchers noted. \u201cAny resource connected to ChatGPT can be targeted for data exfiltration. Whether it\u2019s Github, Sharepoint, OneDrive or any other third-party app that ChatGPT can connect to.\u201d<\/p>\n The attack is particularly concerning because it bypasses traditional security awareness training. Employees who have been educated about email phishing and suspicious links may still fall victim to this attack vector, as the malicious document appears completely legitimate and the data theft occurs transparently.<\/p>\n OpenAI was notified of the vulnerability and quickly implemented mitigations to address the specific attack demonstrated by the researchers. However, the underlying architectural challenge remains unresolved.<\/p>\n \u201cOpenAI is already aware of the vulnerability and has mitigations in place. But unfortunately these mitigations aren\u2019t enough,\u201d the researchers warned. \u201cEven safe looking URLs can be used for malicious purposes. If a URL is considered safe, you can be sure an attacker will find a creative way to take advantage of it.\u201d<\/p>\n This vulnerability exemplifies broader security challenges facing AI-powered enterprise tools. Similar issues have been discovered across the industry, including Microsoft\u2019s \u201cEchoLeak<\/a>\u201d vulnerability in Copilot and various prompt injection attacks against other AI assistants.<\/p>\n The Open Worldwide Application Security Project (OWASP)<\/a> has identified prompt injection as the top security risk in its 2025 Top 10 for LLM Applications, reflecting the widespread nature of these threats across AI systems.<\/p>\n As enterprises rapidly adopt AI agents and assistants, security researchers emphasize the need for comprehensive governance frameworks that address these new attack vectors.<\/p>\n Security experts recommend several measures to mitigate risks from similar attacks:<\/p>\n Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup<\/strong> that can Improve incident response -> Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post ChatGPT Connectors \u20180-click\u2019 Vulnerability Let Attackers Exfiltrate Data From Google Drive<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n<\/figure>\n<\/div>\nMitigations<\/strong><\/h2>\n
\n