EdisonWatch, an AI security firm, has identified a critical vulnerability in ChatGPT’s new Model Context Protocol (MCP) tool support. This tool allows the AI to interact with third-party services like calendars, emails, and payment systems. EdisonWatch founder Eito Miyamura demonstrated how an attacker could leverage this integration to steal a user’s emails just by knowing their email address. The vulnerability lies in how ChatGPT processes information from a user’s calendar, opening a path for data exfiltration.
The attack begins when a user receives a specially crafted calendar invitation from an attacker. This invite doesn’t need to be accepted. It contains a “jailbreak prompt”—a set of instructions that tells ChatGPT to search for sensitive information in the victim’s inbox and send it to an email address controlled by the attacker. The malicious command is triggered when the victim asks ChatGPT to help them prepare for their day, such as by checking their calendar. Unbeknownst to the user, this action initiates the malicious prompt, which then carries out the data theft.
This type of vulnerability is not unique to ChatGPT. Similar calendar invite attacks have previously been demonstrated against other AI assistants like Google’s Gemini and Microsoft’s Copilot. Security firms have shown how these attacks can be used for a variety of malicious purposes, including conducting spam campaigns, phishing, deleting calendar events, and even remotely controlling smart home devices. Another firm, Zenity, has also shown how AI assistants and enterprise tools can be exploited for a variety of purposes.
The EdisonWatch demonstration is the first to specifically target ChatGPT’s new calendar integration, but the findings have not been reported to OpenAI. Because it’s a known class of vulnerabilities related to LLM integration and isn’t specific to ChatGPT, AI companies are generally aware that these types of attacks are possible. The abused feature is currently only available in developer mode and requires the user to manually approve the chatbot’s actions. However, Miyamura pointed out that “decision fatigue” could still make the attack useful for threat actors, as users may just click “approve” without understanding the implications.
To help mitigate this risk, EdisonWatch has released an open-source solution designed to secure integrations and reduce the risk of data exfiltration. The company, founded by Oxford computer science alumni, focuses on helping organizations safely scale their AI implementations by enforcing “policy-as-code” for AI interactions with company systems. Their solution aims to address the most common types of AI attacks, helping to make the use of AI assistants more secure for everyone.
Reference:
