One poisoned file exposed ChatGPT Connector data from Drive
Security researchers have demonstrated a zero-click, indirect prompt injection vulnerability named AgentFlayer, which allowed the extraction of sensitive API keys from Google Drive via OpenAI's ChatGPT Connectors. The attack leverages a 'poisoned' document with hidden instructions that manipulate the AI model into exfiltrating data through specially crafted URLs in Markdown language. OpenAI has since implemented mitigations, though the incident highlights increasing risks as AI models integrate with external data systems.
Key Takeaways
- Researchers Michael Bargury and Tamir Ishay Sharbat disclosed AgentFlayer at Black Hat in Las Vegas.
- The attack used a poisoned document with a 300-word prompt hidden in white text, size-one font.
- ChatGPT was tricked into searching Google Drive for API keys and attaching them to a crafted Markdown URL.
- Bargury said the technique was zero-click: sharing the document was enough for compromise.
- OpenAI introduced mitigations after Bargury reported the issue earlier this year; the attack could only extract limited data at once.
Why It Matters
This is a concrete example of how linking ChatGPT to external systems expands the attack surface beyond the model itself. The issue is not limited to Google Drive: the article says the same class of indirect prompt injection affects any system that feeds untrusted data into an LLM, and Google points to its own AI security measures for Workspace. For teams wiring AI into inboxes, calendars, code, and file stores, the risk is now data exfiltration through the model’s own integrations. Watch for additional connector-level mitigations and any future disclosure on which linked services OpenAI supports.
Read full article at wired.com