Introduction – zero-click ChatGPT vulnerability

At Black Hat USA 2025, Israeli cybersecurity firm Zenity revealed a striking demonstration of how hackers could compromise ChatGPT accounts without the victim clicking a link, opening a file, or performing any deliberate action. This so-called “zero-click” vulnerability showed how attackers could seize full control of ChatGPT through its Connectors feature, exfiltrate sensitive information, and even alter the chatbot’s behavior to work covertly against the user.

The implications extend beyond OpenAI. Zenity also demonstrated attacks on Microsoft Copilot Studio, Salesforce Einstein, Google Gemini, and Cursor with Jira MCP integration. These findings highlight a broader and urgent security challenge: the rise of AI agents as autonomous, high-privilege digital entities—and their attraction as hacker targets.

What Zenity Demonstrated at Black Hat 2025

Zenity’s researchers, including co-founder and CTO Michael Bargury, used a “poisoned” Google Drive document as the attack vector. This document contained hidden instructions in barely visible text. When the victim asked ChatGPT to summarize the file, those hidden instructions caused the chatbot to:

• Search the victim’s connected cloud storage for sensitive information

• Encode the stolen data into a special image URL

• Send that request to a server controlled by the attacker

Because the exploit ran entirely through the ChatGPT Connectors integration, the victim did not have to click anything. Their own AI agent executed the commands automatically.

OpenAI responded quickly with mitigations once Zenity reported the issue. However, Zenity emphasized that the underlying problem—indirect prompt injection leading to Connector abuse—remains a design-level challenge.

Attacks on Other AI Platforms – zero-click ChatGPT vulnerability

Zenity’s “AgentFlayer” research also revealed similar zero-click or one-click vulnerabilities in other AI-driven systems:

1. Microsoft Copilot Studio – Injected prompts into CRM workflows caused the AI to leak sensitive customer relationship data. Microsoft deployed patches for the specific attack.

2. Salesforce Einstein – Crafted CRM records rerouted legitimate customer emails to attacker-controlled addresses, enabling long-term interception of communications.

3. Google Gemini & Microsoft 365 Copilot – Hidden prompts in calendar invites and emails turned these assistants into social-engineering tools, leaking confidential messages and event data.

4. Cursor with Jira MCP – Malicious tickets synchronized from external systems allowed attackers to steal API tokens and repository credentials from developers.

The pattern was the same across all platforms: attackers compromised the AI agent’s environment or inputs, and the agent—trusting those sources—executed harmful commands on the attacker’s behalf.

Summary Table of Zenity’s Demonstrations – zero-click ChatGPT vulnerability

Platform: OpenAI ChatGPT (Connectors)
Attack Vector: Poisoned document shared via Google Drive
Outcome: Stole keys from Drive and exfiltrated via image URL (no clicks required)
Vendor Response: Mitigations deployed after disclosure

Platform: Microsoft Copilot Studio
Attack Vector: Prompt injection in CRM workflows
Outcome: Leaked internal configurations and customer data
Vendor Response: Patched the specific vector

Platform: Salesforce Einstein
Attack Vector: Hidden instructions in CRM records
Outcome: Rerouted customer emails to attacker domain
Vendor Response: Fixed by Salesforce in July 2025

Platform: Cursor + Jira MCP
Attack Vector: Malicious tickets from external integrations
Outcome: Harvested API tokens and repository secrets
Vendor Response: Not disclosed

Why This Matters: Agents Are the New OS

AI agents are no longer simple chatbots. They are integrated systems that can open files, send messages, manipulate cloud resources, and trigger workflows. This means that if an attacker compromises the agent, they effectively compromise the user’s digital identity and access rights.

Traditional phishing defenses assume the attacker needs to trick a human into taking action. With zero-click exploits, that assumption breaks down. The AI becomes the compromised operator, carrying out malicious instructions buried in data it processes.

Historical Context: Israel’s Cyber Operations Legacy

Understanding Zenity’s work is easier when viewed against the backdrop of Israel’s history in offensive cyber capabilities.

Stuxnet (2010) – Widely attributed to a joint U.S.–Israeli operation, Stuxnet was the first known malware to cause physical damage. It targeted Siemens controllers at Iran’s Natanz nuclear facility, subtly altering centrifuge speeds while feeding false readings to operators. It destroyed an estimated one-fifth of Iran’s centrifuges.

Duqu and Flame – Follow-up operations focused on espionage. Duqu specialized in intelligence gathering, while Flame was a massive modular spyware platform capable of recording audio, capturing screenshots, and stealing data over long periods.

NSO Group’s Pegasus – This private-sector spyware became infamous for its zero-click exploits of messaging apps, allowing attackers to infect smartphones silently. It was sold to governments worldwide, often used against journalists, activists, and political opponents.

The thread connecting all of these: exploiting trust and integration points. Whether it was industrial control systems, mobile messaging infrastructure, or now AI connectors, attackers targeted the trusted channels that organizations and individuals rely on.

Why the History Matters for AI Agent Security – zero-click ChatGPT vulnerability

From Stuxnet to Pegasus, two lessons are clear:

1. Trusted systems and data channels can be weaponized.

2. The more capabilities a system has, the more catastrophic a compromise becomes.

AI agents like ChatGPT with Connectors combine both of these traits: they have broad capabilities and rely on trusted integrations. This makes them prime candidates for the same type of exploitation seen in past cyber campaigns.

Practical Risk Scenarios

• Silent Data Theft – Malicious content in a document, ticket, or calendar entry could make an AI agent search for sensitive files and leak them without the user realizing.

• Workflow Manipulation – An attacker could insert hidden instructions into CRM records, causing the AI to change contact details or redirect communications.

• Persistent Backdoors – Instructions could be stored in the AI’s memory or notes, ensuring it continues acting for the attacker in future sessions.

• Developer Credential Theft – Malicious Jira tickets could cause developer assistants to expose API keys or other secrets.

Defensive Strategies – zero-click ChatGPT vulnerability

1. Treat all incoming data, even from trusted sources, as potentially malicious. Sanitize inputs before the AI processes them.

2. Limit connector permissions to the smallest necessary scope.

3. Monitor AI agent activity logs for unusual behavior or data access patterns.

4. Disable features like remote image loading in AI outputs where possible.

5. Require human approval for sensitive operations like sending files or changing customer contact information.

6. Test your systems regularly with simulated prompt-injection and indirect exploitation scenarios.

Frequently Asked Questions

Is the zero-click ChatGPT vulnerability fully fixed?
OpenAI addressed the specific exfiltration method Zenity used, but researchers warn that similar attack patterns remain possible in other contexts.

Could attackers act on my behalf?
Yes. If your AI agent has access to files, email, or other systems, a compromised agent can use those permissions just as you would.

How is this different from phishing?
Traditional phishing relies on tricking a human into acting. Zero-click exploits target the AI itself, using the data it processes to deliver hidden instructions.

What should my organization do now?
Inventory all AI agents and their integrations, disable nonessential connectors, apply the principle of least privilege, and add indirect prompt-injection testing to security exercises.

Conclusion – zero-click ChatGPT vulnerability

Zenity’s Black Hat 2025 research shows that AI agents have become both powerful tools and high-value targets. The zero-click exploit against ChatGPT illustrates how attackers can bypass human defenses entirely, manipulating trusted systems into betraying their users.

When viewed through the lens of Israel’s cyber operations—from Stuxnet’s industrial sabotage to Pegasus’s silent phone compromises—it’s clear this is part of a broader trend. As technology gains autonomy, the methods to compromise it evolve just as fast.

Securing AI agents will require new thinking, stricter controls, and constant vigilance. Without these measures, the same autonomy that makes agents useful will make them dangerous.

Zero-Click ChatGPT Hack Exposed: How Israeli Firm Zenity Shook the AI World at Black Hat 2025  (Video)

Related Videos:

Related Posts:

Your PC’s a Mess. Here’s the 10-Minute Windows Cleanup Anyone Can Do

China’s Rare Earths Weapon Could Kill Europe’s Auto Industry

Goodbye to Trust in Elon Musk: The Self-Driving Tesla That Crashed a Dummy Child—and the Real Safety Crisis Behind It

Samsung Galaxy Z Fold6 Review: Why It Beats Apple and Redefines the Smartphone in 2025

Bad News If You Bought a Tesla: “New” Cars May Not Be As New As You Think