In a stark warning for the future of enterprise AI, security researchers have uncovered a critical vulnerability that allows attackers to extract sensitive data from AI assistants like ChatGPT, Copilot, and Gemini, without the user clicking a single thing.
Zenity Labs unveiled the ChatGPT poisoned document exploit — dubbed AgentFlayer — at Black Hat USA 2025, exposing a zero-click vulnerability that enables silent data exfiltration through manipulated documents and indirect prompt injections.
How It Works: The Poisoned Document Trap
More alarmingly, attackers exploit a surprisingly simple trick at the core of the vulnerability: a poisoned file. They share these documents through email, cloud links, or support platforms, embedding hidden instructions, like white text on a white background or concealed code. While humans overlook them, AI assistants silently interpret these cues during routine processing.
Once the user asks an AI assistant to summarize or analyze the file, the embedded prompt takes over, instructing the agent to search for API keys, sensitive tokens, or personal files from connected services like Google Drive or OneDrive.
The AI then embeds the stolen information into a seemingly harmless Markdown image tag, triggering an automatic browser request to the attacker’s server. The user doesn’t click anything. They don’t know anything went wrong. But the data is gone.
Who’s Affected?
Zenity’s proof-of-concept demonstrations show the exploit working across multiple AI platforms:
- ChatGPT (Enterprise): Compromised via file-based prompt injection, leading to Google Drive data leaks.
- Copilot Studio: Workflow agents manipulated to exfiltrate CRM records.
- Salesforce Einstein: Case management poisoned to divert customer info.
- Cursor + Jira: Tickets embedded with rogue prompts leading to credential theft.
- Gemini for Workspace: Tricked into pulling attacker-defined financial accounts.
While OpenAI and Microsoft have issued hotfixes for some of these vectors, many AI platforms remain vulnerable, with Zenity reporting that several vendors have opted for a “won’t fix” stance, citing architectural limitations.
The Rise of Browser-Based AI Threats
AgentFlayer isn’t just a one-off vulnerability — it’s a wake-up call.
A new class of threats is emerging, targeting browser-integrated AI agents that act across email, cloud storage, and productivity tools. Consequently, organizations often grant these agents excessive permissions by default, and their human-like behavior blinds traditional security tools to injected instructions.
“You’re not just protecting a file or an endpoint anymore,” says Zenity’s co-founder. “You’re protecting an autonomous actor who can be manipulated by words.”
Why This Changes the Game
Unlike phishing attacks that rely on human error, AgentFlayer requires no mistakes from the user. No sketchy links. No malicious downloads. Just a normal interaction with an AI system — exactly as it was designed.
The implications are serious:
- Attackers no longer need to trick humans — just their AI.
- Every AI-connected service becomes a potential data leak.
- Security visibility is limited — logs often don’t capture injected prompt execution.
What Enterprises Need to Do Now
Zenity recommends immediate steps for organizations using AI tools to guard against the ChatGPT poisoned document exploit and similar hidden threats.
- Audit AI agent permissions – Limit access to cloud storage and sensitive APIs.
- Implement AI prompt sanitization – Use tools that scan prompts and inputs for manipulative content.
- Educate end users – Awareness around AI risks is just as crucial as phishing prevention.
- Push vendors for transparency – Not all platforms disclose their vulnerabilities or fixes.
Companies that rely on virtual assistants to process sensitive information — whether it’s legal files or customer support records — need to seriously reconsider how much trust they’re placing in automated decision-making.
AgentFlayer exposes an unsettling truth: attackers can weaponize language as a new attack surface, turning helpful systems against us with just a few hidden instructions.
As Zenity puts it, “This isn’t just a software flaw. It’s a deeper issue with how digital agents interpret the world around them.”
With these systems now woven into browsers, file drives, and day-to-day workflows, it’s no longer just about protecting data — it’s about protecting how these tools think.
Visit: Digital Magazine
