TL;DR: Chatbots and other AI services are increasingly making life easier for cybercriminals. A recently disclosed attack demonstrates how ChatGPT can be exploited to steal API keys and other sensitive data stored on popular cloud platforms.
A newly discovered prompt injection attack threatens to turn ChatGPT into a cybercriminal's best ally in the data theft business. Dubbed AgentFlayer, the exploit uses a single document to conceal "secret" prompt instructions targeting OpenAI's chatbot. A malicious actor could simply share the seemingly harmless document with their victim via Google Drive no clicks required.
AgentFlayer is a true "zero-click" threat. It exploits a vulnerability in Connectors, a recently launched ChatGPT feature that links the assistant to external apps, services, and websites. According to OpenAI, Connectors supports some of the world's most widely used platforms including cloud storage services like Google Drive and Microsoft OneDrive.
The security researchers who uncovered AgentFlayer used Google Drive to highlight the severe risks posed by unregulated chatbots and covert prompt injections. The poisoned document includes a 300-word malicious prompt, hidden in plain sight. It's formatted in white, size-one font effectively invisible to human readers but fully parsed and executed by the chatbot.
The malicious prompt used to demonstrate AgentFlayer's capabilities instructs ChatGPT to search the victim's Google Drive for API keys, append them to a specially crafted URL, and connect to an external server. Once the poisoned document is shared, the attack is already underway. The attacker receives the secret API keys the next time the victim interacts with ChatGPT (as long as the Connectors feature is enabled).
AgentFlayer is not a vulnerability specific to Google's cloud platform, according to Andy Wen, senior director of security at Google Workspace. Still, Mountain View is already working on enhanced protections to prevent its AI services from complying with potentially malicious, hidden prompts.
Researchers disclosed the attack to OpenAI earlier this year. The company has since introduced mitigations to block AgentFlayer from targeting Connectors. While the exploit is designed to extract only a limited amount of data per request, the researchers warn it underscores a broader concern: AI systems with unrestricted access to user data and cloud files pose a serious security risk.
