{"id":125309,"date":"2025-08-07T03:37:10","date_gmt":"2025-08-07T03:37:10","guid":{"rendered":"https:\/\/www.europesays.com\/us\/125309\/"},"modified":"2025-08-07T03:37:10","modified_gmt":"2025-08-07T03:37:10","slug":"a-single-poisoned-document-could-leak-secret-data-via-chatgpt","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/us\/125309\/","title":{"rendered":"A Single Poisoned Document Could Leak \u2018Secret\u2019 Data Via ChatGPT"},"content":{"rendered":"<p>The latest generative AI models are not just stand-alone <a href=\"https:\/\/www.wired.com\/story\/openai-chatgpt-agent-launch\/\" target=\"_blank\" rel=\"noopener\">text-generating chatbots<\/a>\u2014instead, they can easily be hooked up to your data to give personalized answers to your questions. OpenAI\u2019s <a data-offer-url=\"https:\/\/help.openai.com\/en\/articles\/11487775-connectors-in-chatgpt\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/help.openai.com\/en\/articles\/11487775-connectors-in-chatgpt&quot;}\" href=\"https:\/\/help.openai.com\/en\/articles\/11487775-connectors-in-chatgpt\" rel=\"nofollow noopener\" target=\"_blank\">ChatGPT can be linked<\/a> to your Gmail inbox, allowed to inspect your GitHub code, or find appointments in your Microsoft calendar. But these connections have the potential to be abused\u2014and researchers have shown it can take just a single \u201cpoisoned\u201d document to do so.<\/p>\n<p class=\"paywall\">New findings from security researchers Michael Bargury and Tamir Ishay Sharbat, revealed at the Black Hat hacker conference in Las Vegas today, show how a weakness in OpenAI\u2019s Connectors allowed sensitive information to be extracted from a Google Drive account using an <a href=\"https:\/\/www.wired.com\/story\/generative-ai-prompt-injection-hacking\/\" target=\"_blank\" rel=\"noopener\">indirect prompt injection attack<\/a>. In a demonstration of the attack, <a data-offer-url=\"https:\/\/labs.zenity.io\/p\/agentflayer-chatgpt-connectors-0click-attack-5b41?\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/labs.zenity.io\/p\/agentflayer-chatgpt-connectors-0click-attack-5b41?&quot;}\" href=\"https:\/\/labs.zenity.io\/p\/agentflayer-chatgpt-connectors-0click-attack-5b41?\" rel=\"nofollow noopener\" target=\"_blank\">dubbed AgentFlayer<\/a>, Bargury shows how it was possible to extract developer secrets, in the form of API keys, that were stored in a demonstration Drive account.<\/p>\n<p class=\"paywall\">The vulnerability highlights how connecting AI models to external systems and sharing more data across them increases the potential attack surface for malicious hackers and potentially multiplies the ways where vulnerabilities may be introduced.<\/p>\n<p class=\"paywall\">\u201cThere is nothing the user needs to do to be compromised, and there is nothing the user needs to do for the data to go out,\u201d Bargury, the CTO at security firm Zenity, tells WIRED. \u201cWe\u2019ve shown this is completely zero-click; we just need your email, we share the document with you, and that\u2019s it. So yes, this is very, very bad,\u201d Bargury says.<\/p>\n<p class=\"paywall\">OpenAI did not immediately respond to WIRED\u2019s request for comment about the vulnerability in Connectors. The company introduced Connectors for ChatGPT as a beta feature earlier this year, and its <a data-offer-url=\"https:\/\/help.openai.com\/en\/articles\/11487775-connectors-in-chatgpt\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/help.openai.com\/en\/articles\/11487775-connectors-in-chatgpt&quot;}\" href=\"https:\/\/help.openai.com\/en\/articles\/11487775-connectors-in-chatgpt\" rel=\"nofollow noopener\" target=\"_blank\">website lists<\/a> at least 17 different services that can be linked up with its accounts. It says the system allows you to \u201cbring your tools and data into ChatGPT\u201d and \u201csearch files, pull live data, and reference content right in the chat.\u201d<\/p>\n<p class=\"paywall\">Bargury says he reported the findings to OpenAI earlier this year and that the company quickly introduced mitigations to prevent the technique he used to extract data via Connectors. The way the attack works means only a limited amount of data could be extracted at once\u2014full documents could not be removed as part of the attack.<\/p>\n<p class=\"paywall\">\u201cWhile this issue isn\u2019t specific to Google, it illustrates why developing robust protections against prompt injection attacks is important,\u201d says Andy Wen, senior director of security product management at Google Workspace, pointing to the company\u2019s <a href=\"https:\/\/security.googleblog.com\/2025\/06\/mitigating-prompt-injection-attacks.html\" target=\"_blank\" rel=\"noopener\">recently enhanced AI security measures<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"The latest generative AI models are not just stand-alone text-generating chatbots\u2014instead, they can easily be hooked up to&hellip;\n","protected":false},"author":3,"featured_media":125310,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[738,77071,302,734,77072,2722,13336,305,4995,158,67,132,68,77070],"class_list":{"0":"post-125309","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-artificial-intelligence","9":"tag-black-hat","10":"tag-chatgpt","11":"tag-cybersecurity","12":"tag-defcon","13":"tag-google","14":"tag-hacking","15":"tag-openai","16":"tag-security","17":"tag-technology","18":"tag-united-states","19":"tag-unitedstates","20":"tag-us","21":"tag-vulnerabilities"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@us\/114985399295745218","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/125309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/comments?post=125309"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/posts\/125309\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media\/125310"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/media?parent=125309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/categories?post=125309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/us\/wp-json\/wp\/v2\/tags?post=125309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}