A newly discovered ChatGPT Exploit Google Drive vulnerability reveals how dangerous AI-cloud integrations can be. At the Black Hat 2025 security conference, researchers Michael Bargury and Tamir Ishay Sharbat demonstrated a zero-click attack named AgentFlayer, capable of stealing sensitive Google Drive data in seconds using hidden prompts inside a single “poisoned” document.
The attack begins with a malicious file, often a Google Doc that appears harmless. However, buried within it is a block of invisible instructions, such as white text in size-1 font. While humans cannot see these prompts, ChatGPT connected to Google Drive via OpenAI’s Connectors can read them.
When a user innocently asks ChatGPT to summarize the file, the hidden instructions override the request. Instead of summarizing, they command the AI to search Google Drive for API keys or confidential documents, embed them into a URL inside a Markdown image link, and render the image. This sends the secrets to an attacker-controlled server—all without any clicks or explicit approvals.
This stealthy ChatGPT Exploit Google Drive attack works because Connectors grant direct AI access to services like Google Drive, Gmail, OneDrive, and GitHub. While these features make ChatGPT more powerful, they also increase its attack surface, creating new vulnerabilities.
Security experts describe this method as an indirect prompt injection. Unlike traditional exploits, it manipulates the AI’s own instructions to perform malicious actions without user consent.
OpenAI’s Response
OpenAI has deployed fixes to block this specific exploit by limiting certain outputs and restricting the amount of retrievable data in one request. However, researchers warn that attackers may develop similar methods in the future.
Protecting Against the Exploit
The AgentFlayer case highlights the urgent need for security measures when connecting AI to sensitive accounts. Experts recommend:
- Scanning and sanitizing all files before AI processing.
- Setting strict permission limits for AI-connected services.
- Monitoring AI behavior for suspicious activity patterns.
As AI becomes more integrated into daily workflows, defending against prompt injection attacks will be as crucial as patching traditional software vulnerabilities.
