Indirect Prompt InjectionHigh

AgentFlayer: zero-click ChatGPT Connectors exfiltration

August 2025  ·  OpenAI ChatGPT (Connectors)

What happened

At Black Hat USA 2025, Zenity Labs showed a poisoned document with hidden white-text instructions that, when summarized by ChatGPT, made the agent search a connected Google Drive for secrets such as API keys and exfiltrate them through rendered image URLs on Azure Blob, bypassing OpenAI's url_safe check. The broader AgentFlayer set also hit Copilot Studio, Cursor, Salesforce Einstein, and Gemini.

Root cause

Connected enterprise data plus rendering of attacker-influenced image URLs let a single shared document trigger zero-click exfiltration without the victim issuing any malicious request.

Fix / outcome

OpenAI and the other affected vendors addressed the demonstrated paths after coordinated disclosure.

Sources

Zenity Labs (discoverer)

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database