AgentFlayer is a critical vulnerability in ChatGPT Connectors. Learn how this zero-click attack uses indirect prompt injection to…

AgentFlayer is a critical vulnerability in ChatGPT Connectors. Learn how this zero-click attack uses indirect prompt injection to secretly steal sensitive data from your connected Google Drive, SharePoint, and other apps without you knowing.

A new security flaw, dubbed AgentFlayer, has been revealed that demonstrates how attackers can secretly steal personal information from users’ connected accounts, like Google Drive, without the user ever clicking anything. The vulnerability was discovered by cybersecurity researchers at Zenity and presented at the recent Black Hat conference.

As per Zenity’s research, the flaw takes advantage of a feature in ChatGPT called Connectors, which allows the AI to link to outside applications such as Google Drive and SharePoint. While this feature is designed to be helpful, for example, by letting ChatGPT summarise documents from your company’s files, Zenity found that it can also create a new path for hackers.

****The Attack in Action****

The AgentFlayer attack works through a clever method called an indirect prompt injection. Instead of directly typing in a malicious command, an attacker embeds a hidden instruction into a harmless-looking document. This could even be done with text in a tiny, invisible font.

Invisible prompt injection embedded in a document. 1px white font (Source: Zenity)

The attacker then waits for a user to upload this poisoned document to ChatGPT. When the user asks the AI to summarise the document, the hidden instructions tell ChatGPT to ignore the user’s request and instead perform a different action. Such as, the hidden instructions could tell ChatGPT to search the user’s Google Drive for sensitive information like API keys.

Victim’s API Keys (Source: Zenity)

The stolen information is then sent to the attacker in an incredibly subtle way. The attacker’s instructions tell ChatGPT to create an image with a special link. When the AI displays this image, the link secretly sends the stolen data to a server controlled by the attacker. All of this happens without the user’s knowledge and without them needing to click on anything.

****A Growing Risk for AI****

Zenity’s research points out that while OpenAI has some security measures in place, they aren’t enough to stop this type of attack. Researchers were able to bypass these safeguards by using specific image URLs that ChatGPT trusted.

This vulnerability is part of a larger class of threats that show the risks of connecting AI models to third-party apps. Itay Ravia, the Head of Aim Labs, confirmed this, stating that such vulnerabilities are not isolated and that more of them will likely appear in popular AI products.

“As we warned with our original research, EchoLeak (CVE-2025-32711) that Aim Labs publicly disclosed on June 11th, this class of vulnerability is not isolated, with other agent platforms also susceptible,_“_ Ravia explained.

“The AgentFlayer zero-click attack is a subset of the same EchoLeak primitives. These vulnerabilities are intrinsic, and we will see more of them in popular agents due to a poor understanding of dependencies and the need for guardrails,” Ravia commented, emphasising that advanced security measures are needed to defend against these kinds of sophisticated manipulations.

AgentFlayer 0-click exploit abuses ChatGPT Connectors to Steal 3rd-party app data

Plus: Instagram sparks a privacy backlash over its new map feature, hackers steal data from Google's customer support system, and the true scope of the Columbia University hack comes into focus.

This is the week of Black Hat and Defcon, which means a flood of news coming out of the Las Vegas security conferences. As you might expect, artificial intelligence was one popular topic—specifically, using AI chatbots to cause mischief.

One team of researchers, from Tel Aviv University, created a clever attack that allowed them to take over a target’s smart home devices using a “poisoned” Google Calendar invite. It’s the first known attack method that used AI to impact physical devices.

Another researcher used a poisoned document that included a malicious prompt to trick ChatGPT into leaking a user’s private information when it’s connected to a Google Drive.

In non-AI news, an end-to-end encryption algorithm recommended for radio communications used by police and military around the world can be easily cracked, according to new research. The researchers warn that weak implementations of the encryption algorithm could allow eavesdroppers to listen in—or even transmit their own messages.

Speaking of weaknesses, a security researcher found that misconfigured APIs in some streaming platforms used for company meetings and sports livestreams can allow someone to watch the streams without logging in. And a teen hacker discovered that an internet-connected smoke and vape detector in his high school’s bathroom contained microphones—and can be exploited for secret spying.

A leaked trove of data has exposed how teams of suspected North Korean IT scam workers operate, from their meticulous record keeping to the after-work activities—and their near-constant surveillance by people running the schemes.

Finally, in the last of our Black Hat- and Defcon-related news (so far), a pair of security researchers discovered a backdoor in an electronic lock used in at least eight brands of safes, and created a way to open the locks in seconds. They also found another vulnerability that allows them to figure out a safe’s unlock code.

We also took a deep dive into the US military’s slot machine program, spoke with experts who say it’s inevitable that AI will become part of nuclear weapons systems, and revealed a string of break-ins of National Guard armories in Tennessee that experts say is part of a disturbing trend.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Hack of US Court System Exposed Sealed Records, FBI Says**

A previously unreported cyberattack breached the federal judiciary’s electronic case filing system, potentially exposing the identities of confidential informants and compromising sealed court records across multiple US states, Politico reports. The breach was discovered around July 4 and affects the CM/ECF—or “case management/electronic case files”—system used by courts to manage sensitive documents.

Sources told Politico the hack may have impacted criminal dockets, arrest warrants, and sealed indictments, raising concerns that cooperating witnesses could be at risk. The actor behind the intrusion has not been exposed. The Administrative Office of the US Courts and FBI declined to provide Politico with a comment.

In response to recent cyberattacks, the federal judiciary said its been in the process of implementing new safeguards to address the judiciary’s ongoing exposure to “constant and sophisticated” cyber threats.

The incident highlights longstanding warnings that the judiciary’s systems are outdated and vulnerable. A top federal judge told Congress in June that CM/ECF and PACER face “unrelenting security threats” and need urgent replacement.

**Instagram’s New Map Feature Triggers Privacy Backlash**

Instagram’s latest feature—a searchable map showing user-posted content tagged to specific locations—has sparked a wave of privacy concerns, CNBC reports. Rolled out this week, the feature lets users explore photos and videos by browsing a visual map interface.

But users quickly raised alarms about the potential for stalking, harassment, and data misuse, especially for influencers and others posting real-time content from identifiable locations. “Instagram randomly updating their app to include a maps feature without actually alerting people is so incredibly dangerous to anyone who has a restraining order and actively making sure their abuser can’t stalk their location online,” one viral post warned.

Instagram said the feature only shows content from public accounts and reiterated that users can turn off location tagging. Still, the backlash echoes broader concerns about how tech platforms rapidly aggregate and expose personal data in ways that outpace users’ expectations and consent.

**Hackers Breached Google’s Salesforce Database, Stole Customer Data**

Hackers stole data from Google’s customer support system in a breach linked to a compromised Salesforce account, TechCrunch reports. The intrusion, disclosed Wednesday, affected an undisclosed number of Google customers and involved unauthorized access to data such as contact details and “related notes for small and medium-sized businesses.”

The attackers reportedly targeted the data through Salesforce cloud systems. Google’s Threat Intelligence Group pinned the attack on ShinyHunters, a hacking group known for targeting large companies’ cloud-based databases, including Salesforce systems.

The breach affecting Google follows similar attacks on Cisco, Qantas, and Pandora, where attackers used voice phishing to trick employees into granting access. Google says the group may be preparing a leak site to extort victims and is linked to other cybercriminal collectives like The Com, which has a history of hacking and extortion.

**Columbia University Hack Exposed Data of 870,000 People**

A cyberattack on Columbia University compromised the personal information of nearly 870,000 individuals, including students, applicants, and possibly staff, Bloomberg reports. The stolen data includes contact information, academic records, financial aid details, and some health and insurance information, according to draft letters, intended for victims, obtained by the news outlet.

The breach, which dates back to mid-May, was only publicly acknowledged after Columbia filed reports with state attorneys general in California and Maine. A university official previously claimed the perpetrator was politically motivated. The school claims it has implemented new safeguards and continues to notify affected individuals.

The incident preceded a campus-wide IT outage in June. The school reportedly suspected a potential cyberattack at the time.

The US Court Records System Has Been Hacked

Spreadsheets, Slack messages, and files linked to an alleged group of North Korean IT workers expose their meticulous job-planning and targeting—and the constant surveillance they're under.

Job hunting is a fresh kind of hell. Hours are wasted sifting through open roles, tweaking cover letters, dealing with obtuse recruiters—and that’s all before you get started with potential interviews. Arguably, some of the world’s most prolific job applicants—or at least most persistent—are those of North Korea’s sprawling IT worker schemes. For years, Kim Jong Un’s repressive regime has successfully sent skilled coders abroad where they’re tasked with finding remote work and sending money back to the heavily sanctioned and isolated nation. Each year, thousands of IT workers bring in somewhere between $250 million and $600 million, according to United Nations estimates.

Now an apparent huge new trove of data, obtained by a cybersecurity researcher, sheds new light on how one group of alleged North Korean IT workers has been running its operations and the meticulous planning involved in the money-making schemes. Money made by scam IT workers contributes to North Korea’s weapons of mass destruction development efforts and ballistic missile programs, the US government has said. Emails, spreadsheets, documents, and chat messages from Google, Github, and Slack accounts allegedly linked to the alleged North Korean scammers show how they track potential jobs, log their ongoing applications, and record earnings with a painstaking attention to detail.

The cache of data, which represents a glimpse into the workaday life of some of North Korea’s IT workers, also purportedly includes fake IDs that may be used for job applications, as well as example cover letters, details of laptop farms, and manuals used to create online accounts. It reinforces how reliant upon US-based tech services, such as Google, Slack, and GitHub, the DPRK workers are.

“I think this is the first time to see their internal \[operations\], how they are working,” says the security researcher, who uses the handle SttyK and asked not to be named due to privacy and security concerns. SttyK, who is presenting their findings at the Black Hat security conference in Las Vegas today, says an unnamed confidential source provided them with the data from the online accounts. “There are several dozen gigabytes worth of data. There are thousands of emails,” says SttyK, who showed WIRED their presentation ahead of the conference.

North Korea’s IT workers have, in recent years, infiltrated huge Fortune 500 companies, a host of tech and crypto firms, and countless small businesses. While not all IT worker teams use the same approaches, they often use fake or stolen identities to get work and also use facilitators who help cover their digital tracks. The IT workers are often based in Russia or China and are given more freedom and liberties—they’ve been seen enjoying pool parties and dining out on expensive steak dinners—than millions of North Koreans who are not afforded basic human rights. One North Korean defector who operated as an IT worker recently told the BBC that 85 percent of their ill-gained earnings were sent to North Korea. “It’s still much better than when we were in North Korea,” they said.

Multiple screenshots of spreadsheets in the data obtained by SttyK show a cluster of IT workers that appear to be split into 12 groups—each with around a dozen members—and an overall “master boss.” The spreadsheets are methodologically put together to track jobs and budgets: They have summary and analysis tabs that drill down into the data for each group. Rows and columns are neatly filled out; they appear to be updated and maintained regularly.

The tables show the potential target jobs for IT workers. One sheet, which seemingly includes daily updates, lists job descriptions (“need a new react and web3 developer”), the companies advertising them, and their locations. It also links to the vacancies on freelance websites or contact details for those conducting the hiring. One “status” column says whether they are “waiting” or if there has been “contact.”

Screenshots of one spreadsheet seen by WIRED appears to list the potential real-world names of the IT workers themselves. Alongside each name is a register of the make and model of computer they allegedly have, as well as monitors, hard drives, and serial numbers for each device. The “master boss,” who does not have a name listed, is apparently using a 34-inch monitor and two 500GB hard drives.

One “analysis” page in the data seen by SttyK, the security researcher, shows a list of types of work the group of fraudsters are involved in: AI, blockchain, web scraping, bot development, mobile app and web development, trading, CMS development, desktop app development, and “others.” Each category has a potential budget listed and a “total paid” field. A dozen graphs in one spreadsheet claim to track how much they have been paid, the most lucrative regions to make money from, and whether getting paid weekly, monthly, or as a fixed sum is the most successful.

“It’s professionally run,” says Michael “Barni” Barnhart, a leading North Korean hacking and threat researcher who works for insider threat security firm DTEX. “Everyone has to make their quotas. Everything needs to be jotted down. Everything needs to be noted,” he says. The researcher adds that he has seen similar levels of record keeping with North Korea’s sophisticated hacking groups, which have stolen billions in cryptocurrency in recent years, and are largely separate to IT worker schemes. Barnhart has viewed the data obtained by SttyK and says it overlaps with what he and other researchers were tracking.

“I do think this data is very real,” says Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, who has also seen the data SttyK obtained. Gordenker says the firm had been tracking multiple accounts in the data and that one of the prominent GitHub accounts was previously exposing the IT workers’ files publicly. None of the DPRK-linked email addresses responded to WIRED’s requests for comment.

GitHub removed three developer accounts after WIRED got in touch, with Raj Laud, the company’s head of cybersecurity and online safety, saying they have been suspended in line with its “spam and inauthentic activity” rules. “The prevalence of such nation-state threat activity is an industry-wide challenge and a complex issue that we take seriously,” Laud says.

Google declined to comment on specific accounts WIRED provided, citing policies around account privacy and security. “We have processes and policies in place to detect these operations and report them to law enforcement,” says Mike Sinno, director of detection and response at Google. “These processes include taking action against fraudulent activity, proactively notifying targeted organizations, and working with public and private partnerships to share threat intelligence that strengthens defenses against these campaigns.”

“We have strict policies in place that prohibit the use of Slack by sanctioned individuals or entities, and we take swift action when we identify activity that violates these rules,” says Allen Tsai, senior director of corporate communications at Slack’s parent company Salesforce. “We cooperate with law enforcement and relevant authorities as required by law and do not comment on specific accounts or ongoing investigations.”

Another spreadsheet also lists members as being part of a “unit” called “KUT,” a potential abbreviation of North Korea’s Kim Chaek University of Technology, which has been cited in US government warnings about DPRK-linked IT workers. One column in the spreadsheet also lists “ownership” as “Ryonbong,” likely referring to defense company Korea Ryonbong General Corporation, which has been sanctioned by the US since 2005 and UN since 2009. “The vast majority of them \[IT workers\] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors,” the US Treasury Department said in a May 2022 report.

Across the myriad of IT worker-linked GitHub and LinkedIn accounts, CVs, and portfolio websites that researchers have identified in recent years, there are often distinct patterns. Email addresses and accounts use the same names; CVs can look identical. “Reusing resume content is also something that we’ve seen frequently across their profiles,” says Benjamin Racenberg, a senior researcher who has tracked North Korean IT worker personas at cybersecurity firm Nisos. Racenberg says the scammers are increasingly adopting AI for image manipulation, video calls, and as part of scripts they use. “For portfolio websites, we’ve seen them use templates and use the same template over and over again,” Racenberg says.

That all points to some day-to-day drudgery for the IT workers tasked with running the criminal schemes for the Kim regime. “It’s a lot of copy and paste,” Unit 42’s Gordenker says. One suspected IT worker Gordenker has tracked was spotted using 119 identities. “He Googles Japanese name generators—spelled wrong of course—and then over the course of about four hours, just fills out spreadsheets just full of names and potential places \[to target\].”

The detailed documentation also serves another purpose, though: tracking the IT workers and their actions. “There’s a lot of moving parts once the money gets into the actual hands of leadership, so they're going to need accurate numbers,” DTEX’s Barnhart says. Employee monitoring software has been seen on the scammers’ machines in some instances and researchers claim North Koreans in job interviews won’t answer questions about Kim.

SttyK says they saw dozens of screen recordings in Slack channels showing the workers daily activity. In screenshots of a Slack instance, the “Boss” account sends a message: “@channel: Everyone should try to work more than at least 14 hrs a day.” The next message they sent says: “This time track includes idling time, as you know.”

“Interestingly, their communication has been all English, not Korean,” SttyK says. The researcher, along with others, speculates this may be for a couple of reasons: first, to blend into legitimate activity; and secondly, to help improve their English skills for applications and interviews. Google account data, SttyK says, shows they were frequently using online translation to process messages.

Beyond a glimpse at the ways in which the IT workers track their performance, the data SttyK obtained gives some limited clues about the day-to-day lives of the individual scammers themselves. One spreadsheet lists a volleyball tournament the IT workers apparently had planned; in Slack channels, they celebrated birthdays and shared inspirational memes from a popular Instagram account. In some screen recordings, SttyK says, they can be seen playing _Counter-Strike_. “I felt there was a strong unity among the members,” SttyK says.

Leak Reveals the Workaday Lives of North Korean IT Scammers

## Impact

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers:

1. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
2. An attacker could contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The [ZIP standard](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

- To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run `uv install $package` with an attacker-controlled `$package`.
- When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., `python -c "import $package"`.
- If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
- The practical impact of these differentials is limited by a coordinated fix to [Warehouse](https://github.com/pypi/warehouse), PyPI's backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.

## Patches

Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.

## Workarounds

Users are advised to upgrade to 0.8.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set `UV_INSECURE_NO_ZIP_VALIDATION=1` to revert to the previous behavior.

## Attribution

This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).

**Impact**

In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. This enabled two parser differentials against other Python package installers:

1.  An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. The attacker could choose which installer to target.
2.  An attacker could contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target.

In both cases, the outcome is that an attacker can produce a ZIP with a consistent digest that expands differently with different installers.

The ZIP standard is ambiguous with respect to these behavior differentials. Consequently, these same differentials may be accepted ZIP parsers other than those used in uv. This advisory is for uv in particular, but all consumers of ZIP-based Python package distributions, e.g., pip, are potentially susceptible to similar parser differentials in other ZIP parsers.

The practical impact of these differentials is limited by a number of factors:

*   To be compromised via this vulnerability, user interaction of some sort is required. In particular, the user must run uv install $package with an attacker-controlled $package.
*   When using wheel distributions, installation of the malicious package is not sufficient for execution of malicious code, the vicim would need to perform a separate invocation, e.g., python -c "import $package".
*   If a ZIP-based source distribution (which are less common than tarball source distributions), is encountered, malicious code can be executed during package resolution or installation. uv may invoke the malicious code when building the source distribution into a wheel.
*   The practical impact of these differentials is limited by a coordinated fix to Warehouse, PyPI's backend: Warehouse now rejects ZIPs exhibiting these differentials, limiting the ability of an attacker to distribute malicious ZIP distributions via PyPI. As part of that coordinated fix, a review of Warehouse revealed no evidence of exploitation.

**Patches**

Versions 0.8.6 and newer of uv address both of the parser differentials above, by refusing to process ZIPs with duplicated local file entries or stacked contents.

**Workarounds**

Users are advised to upgrade to 0.8.6 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. However, users who do experience breakage should carefully review their distributions for signs of malicious intent. Users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior.

**Attribution**

This vulnerability was discovered separately by two different individuals: Caleb Brown (Google) and Tim Hatch (Netflix).

**References**

*   GHSA-8qf3-x8v5-2pj8
*   astral-sh/uv@7f1eaf4
*   https://astral.sh/blog/uv-security-advisory-cve-2025-54368
*   https://blog.pypi.org/posts/2025-08-07-wheel-archive-confusion-attacks

GHSA-8qf3-x8v5-2pj8: uv allows ZIP payload obfuscation through parsing differentials

In 2024, it was Snowflake. In 2025, it's Salesforce. ShinyHunters is back, with low-tech hacks that nonetheless manage to bring down international megaliths like Google, Cisco, and Adidas.

Payback: 'ShinyHunters' Clocks Google via Salesforce

Google confirms a data breach by ShinyHunters hackers, who used a vishing scam to access a Salesforce database with small business customer info.

In a recent revelation, Google has confirmed that one of its internal databases was breached by a well-known cybercriminal organization. The Google Threat Intelligence Group (GTIC), which was already investigating the activities of the group known as ShinyHunters (or UNC6040), disclosed that its own Salesforce database was accessed in June. The attack exposed information belonging to Google’s small and medium-sized business clients.

The company stated that the breach was contained quickly, and the hackers had access for only a “small window of time.” The stolen data was described as “basic and largely publicly available,” consisting of business names, contact details, and some related notes. While Google did not disclose the full scale of the breach, the incident highlights a growing security concern for all businesses, including technology giants.

****Deception, Not Technical Flaws****

This attack was not a traditional hack exploiting a software flaw, but a sophisticated social engineering scheme. The hackers used a method called vishing (voice phishing) where they impersonated a company’s IT support staff in a phone call.

During the call, they tricked a Google employee into approving a malicious application disguised as a legitimate tool, the Salesforce Data Loader. This fraudulent app granted the hackers access to the database, allowing them to steal information.

Attack Flow Illustration (Source: Google)

As per Google Threat Intelligence Group’s (GTIG) research, UNC6040 is responsible for intrusions, while a separate group, UNC6240, handles the extortion, demanding Bitcoin payments within 72 hours. The company also warns that hackers have updated their tools and may be planning to launch a Data Leak Site (DLS) to pressure victims.

“The news that Google has suffered a data breach in the recent wave of attacks executed by ShinyHunters highlights that no organisation is immune to cybercrime,_”_ said William Wright, CEO of Closed Door Security. “It doesn’t matter if you are a small business or one of the world’s leading technology firms, all organisations are vulnerable._”_

He also emphasised that employee training and the use of MFA are key to blocking these attacks in their early stages.

****A Bigger and Growing Threat****

This breach is part of a larger trend of attacks by the ShinyHunters group. Over the past year, Hackread.com has reported the group’s links to several high-profile incidents, including a massive breach at Santander bank in May 2024 and another at Ticketmaster that affected over 560 million customers globally.

The threat is still active, as luxury fashion brand Chanel also recently announced it suffered a data breach in July, affecting some of its US customers via a third-party Salesforce database. Google’s report also warns that ShinyHunters may be planning to escalate its activities by launching a public data leak site.

In response to the attack, Google said it took immediate action to secure its systems and notify affected clients. The company also advises other businesses to strengthen their defences with better employee training, multi-factor authentication, and stricter access controls to prevent similar social engineering attacks.

Google Confirms Salesforce Data Breach by ShinyHunters via Vishing Scam

Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances.

Cybersecurity researchers at SafeBreach Labs have uncovered a new kind of cyberattack that starts with something as ordinary as a Google Calendar invitation. According to the team, this method can be used to hijack a person’s Google Gemini AI agent, giving attackers the ability to spy on them, steal personal data, and even take control of smart home devices remotely.

The research, titled “Invitation Is All You Need,” was carried out by Ben Nassi, Stav Cohen, and Or Yair. In an interview with Hackread.com, SafeBreach Labs explained that the attack relies on a new kind of threat known as Promptware. This technique manipulates an AI model by inserting carefully composed text, or prompts, that trick it into carrying out harmful actions.

Promptware’s Perimeter’s Location (Source: SafeBreach Labs)

The SafeBreach team developed a more advanced version of the attack, which they’ve named a Targeted Promptware attack. They demonstrated how it works specifically on Gemini for Workspace. By sending a malicious Google Calendar invitation, they were able to hijack a user’s Gemini agent, all without the person ever realising it.

This technique is known as an “indirect prompt injection” because the malicious instructions are hidden in something the AI reads on its own, like an event title, instead of being entered directly by the user.

Targeted Promptware Attack Explained (Source: SafeBreach Labs)

To show just how serious the vulnerability is, the researchers used a range of techniques, including context poisoning and automatic tool invocation, to exploit Gemini. Their tests demonstrated how far the attack could go once the AI agent was compromised.

After taking control of the Gemini agent, they were able to carry out a wide range of malicious actions, including

*   Steal private emails
*   Figure out a person’s location
*   Send spam and phishing emails
*   Delete a person’s calendar events
*   Generate harmful and toxic content
*   Turn on a person’s video camera through Zoom

What’s even more concerning is that the attack doesn’t stop online. The researchers showed that a compromised AI assistant could also take control of apps on a person’s smartphone, including those linked to smart home devices.

The researchers also found that an attacker could remotely control things like connected windows, boilers, and lights. This confirmed that Promptware attacks can go beyond Gemini itself and lead to real-world physical impact.

The researchers reported their findings to Google in February 2025. In response, Google rolled out new protections, including stronger security around sensitive actions and better systems to detect prompt injection attacks.

SafeBreach Labs estimates that 73% of these threats fall under the “High-Critical risk” category and warns that other AI-powered tools could be at risk too. The full research will be presented at Black Hat USA and DEF CON 33.

Meanwhile, it’s highly recommended to check out SafeBreach’s technical blog post and the seven demo videos the company shared.

New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite

Hackers tricked workers over the phone at Google, Adidas, and more to grant access to Salesforce data.

At the heart of multiple data breaches against sophisticated and robust companies, including Google, Adidas, Louis Vuitton, and Chanel, was a rudimentary attack method that required little technical finesse—making a phone call.

By disguising themselves as IT support personnel on the phone, hackers belonging to the group “ShinyHunters” successfully tricked the employees at several multinational corporations into handing over the data within their own Salesforce platforms. The attacks underscore the vulnerability that all businesses face—large or small—in preventing cyberattacks that begin through basic social engineering scams.

In a bizarre twist of irony, security researchers at Google Threat Intelligence Group (GITG) originally uncovered the hacking campaign in June, only to announce that Google itself had been hit by the very same tactic this week. Other victims in the hacking campaign include Allianz Life, the airline Qantas, and the jeweler Pandora.

The data breaches all leverage a Salesforce feature that allows users to connect to various, external apps. This functionality allows business owners and employees to, for instance, connect their Salesforce data to mapping tools to visualize the locations of a customer base, or to connect their Salesforce data with a newsletter platform to deliver email marketing campaigns to specific customer segments.  

In the attacks, the hackers trick employees into connecting to a fraudulent version of Salesforce’s “Data Loader” app, which lets users import, export, update, and delete large quantities of data that are stored or managed within Salesforce itself. The process for connecting to an external app is simple, as employees just enter an 8-digit code when prompted by Salesforce. But once ensnared in the phone scam, employees are tricked into entering an 8-digit code that will connect to a data exfiltration program owned and operated entirely by the hackers.

Once connected, the hackers are free to roam inside the company’s Salesforce data and steal what they see fit. Some attacks reportedly included an expansion by the hackers into other corporate online accounts, including Microsoft 365, which could reveal a company’s emails and other sensitive messages.

In the attack against Google, the hackers accessed a Salesforce “instance,” which is a term used to describe a company or user’s implementation of software and the data they manage through that software (Think of it like when a hacker breaches an online account and then pilfers all the data related to that account and what it can access). In the Google attack, the Salesforce instance “was used to store contact information and related notes for small and medium businesses.”

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

According to the outlet Bleeping Computer, the ShinyHunters cybercrime group is still stealing business data through this attack campaign. Once the hackers have the data, they then extort the victims to pay a hefty ransom or risk having the data exposed online.

****How to stay safe from the Salesforce scam****

Because this attack is so targeted—every corporate victim uses Salesforce—the defense strategies are clear and actionable. Here’s how you can help yourself and your staff in avoiding this attack.

*   **Audit your Salesforce access**. Ensure that the only employees or staff who have access to Salesforce are those who need to use it for their job. When there are fewer employees who can access Salesforce, there are fewer entry points for hackers.
*   **Train your staff**. Recognizing a social engineering scam is important for any workforce, no matter the size. Inform your employees and yourself about your current IT support provider so that any rogue phone calls are immediately caught.
*   **Use multifactor authentication (MFA) for important accounts**. The hackers in these attacks managed to gain access to other cloud applications like Microsoft 365. Protect all your employee accounts on sensitive platforms with MFA.

Social engineering scams are some of the most effective and serious threats to small businesses. It’s important to recognize them when they happen. And for all else, use always-on cybersecurity to protect your business from malware, viruses, and nefarious break-in attempts.

 How Google, Adidas, and more were breached in a Salesforce scam 

A jury has ruled that Meta accessed sensitive information from women's reproductive health tracking app Flo without consent.

A jury has ruled that Meta accessed sensitive information from a woman’s reproductive health tracking app without consent.

The app in question is called Flo Health. Developed in 2015 in Belarus to track menstrual cycles, it has evolved over the years as a tracking app for highly detailed, intimate aspects of women’s reproductive health.

Flo Health user Erica Frasco bought a class action lawsuit against the company in 2021, following a damning report about its privacy infractions by the Wall Street Journal in 2019.

Since she downloaded the app in 2017, Frasco, like its other users, regularly answered highly intimate questions. These ranged from the timing and comfort level of menstrual cycles, through to mood swings and preferred birth control methods, and their level of satisfaction with their sex life and romantic relationships. The app even asked when users had engaged in sexual activity and whether they were trying to get pregnant.

According to the complaint, Flo Health promised not to share this data with third parties unless it was necessary for the provision of its services. Even then, it would not only share information relevant to web hosting and app development, it promised. It would not include “information regarding your marked cycles, pregnancy, symptoms, notes and other information entered by \[users\]”, reported the original complaint.

Yet between 2016 and 2019 Flo Health shared that intimate data with companies including Facebook and Google, along with mobile marketing firm AppsFlyer, and Yahoo!-owned mobile analytics platform Flurry. Whenever someone opened the app, it would be logged. Every interaction inside the app was also logged, and this data was shared.

Flo Health didn’t impose rules on how these third parties could use the data. “In fact, the terms of service governing Flo Health’s agreement with these third parties allowed them to use the data for their own purposes, completely unrelated to services provided in connection with the App,” the complaint went on.

By December 2020, 150 million people were using the app, according to court documents. Flo had promised them that they could trust it.

Users were “trusting us with intimate personal information,” it said in its privacy policy. “We are committed to keeping that trust, which is why our policy as a company is to take every step to ensure that individual user’s data and privacy rights are protected.”

The Federal Trade Commission investigated these allegations and settled with Flo Health in 2021, imposing an independent review of its privacy policy and mandating that it not misrepresent its app.

The class action lawsuit claims common law invasion of privacy, breach of contract and implied contract, unjust enrichment, and breach of the Stored Communications Act and the California Confidentiality of Medical Information Act. It seeks damages for plaintiffs, along with some of the company’s profit.

Google and Flo Health have both settled with plaintiffs already, but Meta has not. The jury ruled that Meta intentionally “eavesdropped on and/or recorded their conversations by using an electronic device,” and that it did so without consent.

This case is important on so many levels. Aside from general privacy concerns, women’s menstrual health is an area of particular contention after the US Supreme Court removed the constitutional right to abortion in June 2022. That year, Meta came under scrutiny for providing police with private message data between a mother and her daughter planning medication to abort a pregnancy.

We could simply say “Don’t use Flo Health”, but the app was trusted until it was found out. How many others are sharing data in similarly irresponsible ways? Increasingly, we lean toward simply not using apps to track sensitive data of this kind at all.

However, then there are the websites to worry about. A report by Propublica found that online pharmacies selling abortion pills were sharing sensitive data with Google and others. This could give law enforcement evidence in cases against women, it said. Technology promised us convenience, but its misuse also brings serious dangers to users.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Meta accessed women&#8217;s health data from Flo app without consent, says court 

Security researchers found a weakness in OpenAI’s Connectors, which let you hook up ChatGPT to other services, that allowed them to extract data from a Google Drive without any user interaction.

The latest generative AI models are not just stand-alone text-generating chatbots—instead, they can easily be hooked up to your data to give personalized answers to your questions. OpenAI’s ChatGPT can be linked to your Gmail inbox, allowed to inspect your GitHub code, or find appointments in your Microsoft calendar. But these connections have the potential to be abused—and researchers have shown it can take just a single “poisoned” document to do so.

New findings from security researchers Michael Bargury and Tamir Ishay Sharbat, revealed at the Black Hat hacker conference in Las Vegas today, show how a weakness in OpenAI’s Connectors allowed sensitive information to be extracted from a Google Drive account using an indirect prompt injection attack. In a demonstration of the attack, dubbed AgentFlayer, Bargury shows how it was possible to extract developer secrets, in the form of API keys, that were stored in a demonstration Drive account.

The vulnerability highlights how connecting AI models to external systems and sharing more data across them increases the potential attack surface for malicious hackers and potentially multiplies the ways where vulnerabilities may be introduced.

“There is nothing the user needs to do to be compromised, and there is nothing the user needs to do for the data to go out,” Bargury, the CTO at security firm Zenity, tells WIRED. “We’ve shown this is completely zero-click; we just need your email, we share the document with you, and that’s it. So yes, this is very, very bad,” Bargury says.

OpenAI did not immediately respond to WIRED’s request for comment about the vulnerability in Connectors. The company introduced Connectors for ChatGPT as a beta feature earlier this year, and its website lists at least 17 different services that can be linked up with its accounts. It says the system allows you to “bring your tools and data into ChatGPT” and “search files, pull live data, and reference content right in the chat.”

Bargury says he reported the findings to OpenAI earlier this year and that the company quickly introduced mitigations to prevent the technique he used to extract data via Connectors. The way the attack works means only a limited amount of data could be extracted at once—full documents could not be removed as part of the attack.

“While this issue isn’t specific to Google, it illustrates why developing robust protections against prompt injection attacks is important,” says Andy Wen, senior director of security product management at Google Workspace, pointing to the company’s recently enhanced AI security measures.

Bargury’s attack starts with a poisoned document, which is shared to a potential victim’s Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) Inside the document, which for the demonstration is a fictitious set of notes from a nonexistent meeting with OpenAI CEO Sam Altman, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT. The prompt is written in white text in a size-one font, something that a human is unlikely to see but a machine will still read.

In a proof of concept video of the attack, Bargury shows the victim asking ChatGPT to “summarize my last meeting with Sam,” although he says any user query related to a meeting summary will do. Instead, the hidden prompt tells the LLM that there was a “mistake” and the document doesn’t actually need to be summarized. The prompt says the person is actually a “developer racing against a deadline” and they need the AI to search Google Drive for API keys and attach them to the end of a URL that is provided in the prompt.

That URL is actually a command in the Markdown language to connect to an external server and pull in the image that is stored there. But as per the prompt’s instructions, the URL now also contains the API keys the AI has found in the Google Drive account.

Using Markdown to extract data from ChatGPT is not new. Independent security researcher Johann Rehberger has shown how data could be extracted this way, and described how OpenAI previously introduced a feature called “url\_safe” to detect if URLs were malicious and stop image rendering if they are dangerous. To get around this, Sharbat, an AI researcher at Zenity, writes in a blog post detailing the work, that the researchers used URLs from Microsoft’s Azure Blob cloud storage. “Our image has been successfully rendered, and we also get a very nice request log in our Azure Log Analytics which contains the victim’s API keys,” the researcher writes.

The attack is the latest demonstration of how indirect prompt injections can impact generative AI systems. Indirect prompt injections involve attackers feeding an LLM poisoned data that can tell the system to complete malicious actions. This week, a group of researchers showed how indirect prompt injections could be used to hijack a smart home system, activating a smart home’s lights and boiler remotely.

While indirect prompt injections have been around almost as long as ChatGPT has, security researchers worry that as more and more systems are connected to LLMs, there is an increased risk of attackers inserting “untrusted” data into them. Getting access to sensitive data could also allow malicious hackers a way into an organization's other systems. Bargury says that hooking up LLMs to external data sources means they will be more capable and increase their utility, but that comes with challenges. “It’s incredibly powerful, but as usual with AI, more power comes with more risk,” Bargury says.

Tag

#google