Unfortunately, recent research has found dangerous vulnerabilities in many popular AI-enhanced tools. These alarming discoveries have major implications for data security and the threat of data exfiltration. These vulnerabilities, especially in third-party applications such as Claude Cowork, Superhuman AI, and others, reopen pathways for attackers to manipulate third-party indirect prompt injections. This type of attack could allow an attacker to access sensitive information without any direct user action.
It’s one of these vulnerabilities that became the target for a particularly devastating exploit, dubbed ZombieAgent. This vulnerability exploits ChatGPT’s integrations with third-party applications, turning non-targeted prompt injections into no-click attacks. By sending sensitive data character by character, ZombieAgent makes the chatbot an ideal platform for data exfiltration.
These vulnerabilities are critical with far-reaching implications beyond data theft. Attackers can use them to exert long-term persistent control over systems they compromise. This article will explain how these vulnerabilities work, what damage they could cause, and what precautions are advised.
Understanding Indirect Prompt Injection Vulnerabilities
Indirect prompt injection vulnerabilities impact a wide range of AI tools. Popular ones include IBM Bob, Notion AI, Hugging Face Chat, Google Antigravity and Slack AI. These vulnerabilities happen due to failures in AI systems’ ability to differentiate between burdensome directives from users and malevolent orders from adversaries. As a consequence, they are quite easily gamed.
The true source of the vulnerability is in untrusted data parsing. This parsing bug makes it possible for attackers to influence the AI’s outputs through prompt injection attacks, or in some cases even exfiltrate private information without detection. These attacks exploit the Model Context Protocol’s (MCP) sampling capability. Thus, they often end up sucking up AI compute quotas and misusing the cloud infrastructure for non-approved workloads.
“There’s no limit to the amount or type of data that can be exfiltrated. The server can request information based on earlier responses.” – Varonis
This new capability is extremely alarming. It provides adversaries an opportunity to scan for sensitive information unique to the victim’s context, amplifying the threats even more.
The Threat of ZombieAgent
ZombieAgent is a real leap forward in the sophistication of these attacks. By enabling zero-click ways of exfiltrating data, it in effect makes ChatGPT a low-key data mining operation. The vulnerability triggers by manipulating a list of existing, pre-built URLs. Each of these URLs represents one letter, number, or special character (for spaces).
This approach allows for repeat data extraction at regular intervals. It enables an attacker to achieve persistence by injecting adversarial code into the AI’s long-term memory. As a result, regardless of whether a user closes the chat, the attacker can always hijack the session in the background without the user’s knowledge.
“Only a single click on a legitimate Microsoft link is required to compromise victims.” – Dolev Taler
Dolev Taler further explained that there are “no plugins, no user interaction with Copilot,” highlighting how easily vulnerable systems can be exploited without requiring typical user engagement.
Implications of CellShock Vulnerability
The second major vulnerability is CellShock, which impacts Anthropic Claude for Excel. For this issue, this vulnerability allows attackers to craft highly specialized instructions that can be inserted into non-trusted data origins. Consequently, unsafe formulas are allowed to run and exfiltrate sensitive data from users’ spreadsheets.
CellShock serves to alert that prompt injection vulnerabilities can have severe real-world consequences. It opens the most sensitive files on a device and sends data straight to attackers. This attack vector performs result tampering and involves the injection of long-lasting instructions. This is the most alarming part of the trend Cybersecurity threats using generative AI technologies.
“Reprompt effectively creates a security blind spot by turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plugins, or connectors.” – Varonis
Noma Security defines this evolving threat landscape, which poses significant risk, as the “real world.” AI agents are already being given wider and wider access to sensitive corporate data and greater levels of autonomy. As these vulnerabilities hover, organizations need to invest in cybersecurity strategies to safeguard sensitive data.
Recommended Precautions
Experts recommend all users of AI-powered tools take proactive steps to reduce these harms. Our first and foremost recommendation is to safeguard your personal information. Never share anything in a chat that someone could use to blackmail or extort you.
“Second, avoid sharing personal information in chats or any other information that could be used for ransom or extortion.” – Dor Yardeni
With cybersecurity threats on the rise, understanding where your exposure may lie is key for any organization that leverages AI technologies. Implementing strict access controls and routinely fortifying security measures can mitigate exposure to these indirect prompt injection vulnerabilities.