A newly disclosed ChatGPT vulnerability shows just how dangerous AI integrations with cloud services can be.
At the Black Hat 2025 security conference, researchers Michael Bargury and Tamir Ishay Sharbat demonstrated a stealthy zero-click attack dubbed AgentFlayer that can steal sensitive information from Google Drive using hidden prompts inside a single “poisoned” document.
How the Exploit Works
The attack begins with a malicious file, such as a Google Doc that looks completely harmless to human eyes. Buried inside the document is a block of invisible instructions, often white text in a size-1 font.
While these prompts are invisible to the human reader, they are fully processed by ChatGPT when it is connected to Google Drive via OpenAI’s Connectors feature.
When a user unknowingly asks ChatGPT to perform a simple action like summarizing the document, the hidden prompt takes over. Instead of summarizing, it instructs the AI to:
- Search the user’s Google Drive for API keys or other sensitive files.
- Embed those secrets into a URL inside a Markdown image link.
- Render the image, which causes the data to be sent to an attacker-controlled server.
This method requires no clicks, approvals, or manual downloads from the victim, just the act of letting ChatGPT process the malicious file.
The attack works because ChatGPT Connectors give the AI direct access to external services like Google Drive, Gmail, OneDrive, or GitHub. While these integrations make ChatGPT more powerful, they also dramatically expand its attack surface.
As the researchers noted, the attack is an example of indirect prompt injection, a growing security concern in AI systems. Such attacks exploit the AI’s own instructions, tricking it into performing harmful tasks without the user’s consent.
OpenAI’s Response
OpenAI has rolled out mitigations to block this specific attack, such as restricting how certain outputs are handled and limiting what data can be retrieved in one go.
While this patch closes the AgentFlayer loophole, researchers warn that attackers will likely develop similar methods in the future.
The AgentFlayer exploit is a wake-up call for anyone integrating AI with sensitive accounts. Protecting these systems requires:
- Thorough scanning and sanitization of all files before the AI processes them.
- Clear, enforceable permission limits for what AI can do with connected services.
- Ongoing monitoring for suspicious patterns in AI behavior.
As AI becomes more deeply embedded in workflows, safeguarding it from prompt injection attacks will be just as critical as patching traditional software exploits.
