“The difficulty to overcome is to create enough urgency and credible context [in the hidden instructions] to trick the AI into believing he is not doing anything harmful. Basically, [this is] social engineering the artificial intelligence.”
The ShadowLeak vulnerability test used Gmail. However, Geenens said, the initial attack vector could be anything that is analyzed by the AI agent. ChatGPT already provides connectors for Gmail, Google Calendar, Outlook, Outlook Calendar, Google Drive, Sharepoint, Microsoft Teams, GitHub and more, he pointed out.
Just this week, he added, OpenAI announced a new beta feature that allows connecting any MCP (Model Context Protocol) server as a source or tool in ChatGPT. “This opens up the agent to access one of the several tens of thousands of community and vendor provided MCP servers as a source, creating a new vast threat surface for supply chain attacks originating from MCP servers,” he said.
