August 7th, 2025 – Security researchers have revealed a new vulnerability in OpenAI’s ChatGPT that allowed attackers to extract sensitive data from a victim’s Google Drive with zero user interaction. The exploit, demonstrated at the Black Hat conference, uses an “indirect prompt injection” hidden within a shared document to trick the AI into leaking information.
The attack, discovered by security firm Zenity, leverages ChatGPT’s “Connectors” feature, which links the chatbot to services like Gmail, Google Drive, or Microsoft 365. According to the researchers, a malicious actor could simply share a “poisoned” document with a target. The document contained an invisible prompt – white text in a size-one font – that a human would likely miss but a chatbot could easily read.
Once the document was in the victim’s Google Drive, a seemingly innocuous request to the chatbot, such as “Summarize my last meeting with Sam,” would trigger the hidden prompt. Instead of summarizing the document, the malicious instructions would command the AI to search for API keys within the user’s Drive and exfiltrate them to an external server via a URL.
“It’s incredibly powerful, but as usual with AI, more power comes with more risk.”
“This is very, very bad,” Zenity CTO Michael Bargury told Wired. “There is nothing the user needs to do to be compromised, and there is nothing the user needs to do for the data to go out.” He added, “We’ve shown this is completely zero-click; we just need your email, we share the document with you, and that’s it.”
OpenAI was notified of the exploit and quickly patched the specific vulnerability. The researchers noted that the attack was limited in scope, preventing the transfer of entire documents and only allowing small amounts of data to be exfiltrated. However, they warn that the underlying method of attack remains technically possible, and that the growing use of large language models (LLMs) in the workplace is creating new attack surfaces for hackers.
It is not just Google that is affected – the Connectors feature can link ChatGPT to up to 17 different services, raising concerns that other personal information could be compromised.
The Broader Threat of Indirect Prompt Injections
This zero-click exploit is a prime example of an indirect prompt injection, a serious type of security flaw threatening the safety of user-facing AI systems. Unlike a direct prompt injection where a user manipulates the AI with a prompt, this attack method involves feeding a document with a hidden, malicious prompt to the AI.
Another recent example highlights the expanding dangers of these attacks. Researchers at Tel Aviv University found that Google’s Gemini AI could be manipulated to control smart home systems. By feeding the AI a poisoned Google Calendar invite, they were able to trick it into turning off lights, opening and closing shutters, and even turning on a boiler. According to Tel Aviv University researcher Ben Nassi, we need to secure LLMs before they are integrated into physical machines like cars and humanoids, where the outcomes could be a matter of safety, not just privacy.
Security researchers have been aware of indirect prompt injection attacks for several years, but the latest incidents show that companies still have much work to do to mitigate the substantial risks. Bargury summed up the situation by stating, “It’s incredibly powerful, but as usual with AI, more power comes with more risk.”
