Some of the most widely used AI agents and assistants from Microsoft, Google, OpenAI and other major companies are susceptible to being hijacked with little or no user interaction, according to new research from Zenity Labs.
During a presentation at the Black Hat USA cybersecurity conference, Zenity researchers showed how hackers could exfiltrate data, manipulate critical workflows across targeted organizations and, in some cases, even impersonate users.
Beyond infiltrating these agents, the researchers said, attackers could also gain memory persistence, letting them maintain long-term access and control.
“They can manipulate instructions, poison knowledge sources, and completely alter the agent’s behavior,” Greg Zemlin, product marketing manager at Zenity Labs, told Cybersecurity Dive. “This opens the door to sabotage, operational disruption, and long-term misinformation, especially in environments where agents are trusted to make or support critical decisions.”
Researchers demonstrated vulnerabilities in multiple popular AI agents:
- OpenAI’s ChatGPT could be compromised using an email-based prompt injection that granted them access to connected Google Drive accounts.
- Microsoft Copilot Studio’s customer-support agent leaked entire CRM databases, and researchers identified more than 3,000 agents in the wild that were at risk of leaking internal tools.
- Salesforce’s Einstein platform was manipulated to reroute customer communications to researcher-controlled email accounts.
- Attackers could turn Google’s Gemini and Microsoft 365’s Copilot into insider threats, targeting users with social-engineering attacks and stealing sensitive conversations.
Zenity Labs disclosed its findings to the companies, and some of them issued patches immediately, although it was not at once clear what guidance the others provided.
Read the Full Story Here
Source: Cybersecurity Dive
