Main information
- Researchers have discovered vulnerability in Chatgpt allowing data theft from connected Google Drive accounts.
- The attack uses a “poisoned” document containing hidden prompts that trigger Chatgpt to extract sensitive information without user interaction.
- This incident highlights the risks linked to the connection of artificial intelligence systems to personal or professional data and underlines the need to put in place protective measures against indirect-guide messages.
Security researchers have unveiled a disturbing vulnerability in Chatgpt at the Black Hat conference in Las Vegas. Using a single “poisoned” document, they were able to extract sensitive data from a connected Google Drive account without any interaction from the user.
Malicious instructions
This feat uses the chatgpt connectors function and is based on a technique called “zero-click”. The attack, named Agentflayer by researchers Michael Bargury and Tamir Ishay Sharbat of Zenity, consists in sending to a little suspicious user a shared document containing a hidden prompt. This prompt, written in white text with a tiny font size, is invisible to the human eye but easily readable by Chatgpt.
When the user asks an apparently harmless question, such as a meeting summary, Chatgpt is the prey of the malicious instructions hidden in the invite. Instead of providing a summary, the AI performs instructions such as the search for API keys to the drive and sending them to an external server through a disguised image link.
Data flight
Bargury underlines that this attack is completely passive; Users do not need to open the document or do anything. The simple fact of sharing the document with their Google account is enough to trigger data theft.
OPENAI, the creators of Chatgpt, were informed of this vulnerability at the beginning of the year and set up countermeasures. However, this incident highlights the potential risks associated with the connection of artificial intelligence systems to personal or professional data.
Google acknowledges that if this problem is not specific to its Drive platform, it highlights the importance of protection against “indirect prompt injections”. As integration of AI with external sources are generalized, the risk that hackers incorporate malicious instructions into user data increases considerably. (FC)
