A crucial vulnerability in OpenAI’s ChatGPT Connectors characteristic permits attackers to exfiltrate delicate information from related Google Drive accounts with none consumer interplay past the preliminary file sharing.
The assault, dubbed “AgentFlayer,” represents a brand new class of zero-click exploits concentrating on AI-powered enterprise instruments.
The vulnerability was disclosed by cybersecurity researchers Michael Bargury from Zenity and Tamir Ishay Sharbat on the Black Hat hacker convention in Las Vegas, demonstrating how a single malicious doc can set off computerized information theft from victims’ cloud storage accounts.
ChatGPT Connectors, launched in early 2025, allow the AI assistant to combine with third-party functions, together with Google Drive, SharePoint, GitHub, and Microsoft 365. This characteristic permits customers to look information, pull stay information, and obtain contextual solutions based mostly on their private enterprise information.
ChatGPT 0-click Vulnerability
The researchers exploited this performance by an oblique immediate injection assault. By embedding invisible malicious directions inside seemingly benign paperwork utilizing strategies akin to 1-pixel white textual content on white backgrounds, attackers can manipulate ChatGPT’s habits when the doc is processed.
“All of the consumer must do for the assault to happen is to add a naive wanting file from an untrusted supply to ChatGPT, one thing all of us do each day,” Bargury defined. “As soon as the file is uploaded, it’s sport over. There are not any extra clicks required.”
The assault unfolds when a sufferer uploads the poisoned doc to ChatGPT or has it shared to their Google Drive. Even a innocent request like “summarize this doc” can set off the hidden payload, inflicting ChatGPT to look the sufferer’s Google Drive for delicate data akin to API keys, credentials, or confidential paperwork.
The researchers leveraged ChatGPT’s skill to render photographs as the first information exfiltration methodology. When instructed by the hidden immediate, ChatGPT embeds stolen information as parameters in picture URLs, inflicting computerized HTTP requests to attacker-controlled servers when the pictures are rendered.
Initially, OpenAI had carried out primary mitigations by checking URLs by an inner “url_safe” endpoint earlier than rendering photographs. Nevertheless, the researchers found they might bypass these protections through the use of Azure Blob Storage URLs, which ChatGPT considers reliable.
By internet hosting photographs on Azure Blob Storage and configuring Azure Log Analytics to observe entry requests, attackers can seize exfiltrated information by the picture request parameters whereas showing to make use of legit Microsoft infrastructure.
profitable assault
The vulnerability poses vital dangers for enterprise environments the place ChatGPT Connectors are more and more deployed. Organizations utilizing the characteristic to combine business-critical techniques like SharePoint websites containing HR manuals, monetary paperwork, or strategic plans might face complete information breaches.
“This isn’t solely relevant to Google Drive,” the researchers famous. “Any useful resource related to ChatGPT will be focused for information exfiltration. Whether or not it’s Github, Sharepoint, OneDrive or another third-party app that ChatGPT can connect with.”
The assault is especially regarding as a result of it bypasses conventional safety consciousness coaching. Workers who’ve been educated about e mail phishing and suspicious hyperlinks should fall sufferer to this assault vector, because the malicious doc seems utterly legit and the info theft happens transparently.
OpenAI was notified of the vulnerability and rapidly carried out mitigations to handle the precise assault demonstrated by the researchers. Nevertheless, the underlying architectural problem stays unresolved.
“OpenAI is already conscious of the vulnerability and has mitigations in place. However sadly these mitigations aren’t sufficient,” the researchers warned. “Even secure wanting URLs can be utilized for malicious functions. If a URL is taken into account secure, you will be positive an attacker will discover a inventive strategy to benefit from it.”
This vulnerability exemplifies broader safety challenges going through AI-powered enterprise instruments. Related points have been found throughout the trade, together with Microsoft’s “EchoLeak” vulnerability in Copilot and varied immediate injection assaults in opposition to different AI assistants.
The Open Worldwide Utility Safety Mission (OWASP) has recognized immediate injection as the highest safety danger in its 2025 High 10 for LLM Functions, reflecting the widespread nature of those threats throughout AI techniques.
As enterprises quickly undertake AI brokers and assistants, safety researchers emphasize the necessity for complete governance frameworks that deal with these new assault vectors.
Mitigations
Safety consultants suggest a number of measures to mitigate dangers from comparable assaults:
Implement strict entry controls for AI connector permissions, following the precept of least privilege.
Deploy monitoring options particularly designed for AI agent actions.
Educate customers in regards to the dangers of importing paperwork from untrusted sources to AI techniques.
Take into account network-level monitoring for uncommon information entry patterns.
Recurrently audit related companies and their permission ranges.
Equip your SOC with full entry to the most recent risk information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
