plowunited.net – At Black Hat USA 2025, researchers revealed a new method called AgentFlayer that tricks AI systems into leaking sensitive data. The attack uses invisible text—white font on a white background—to hide malicious instructions inside documents. While humans cannot see the text, AI models like ChatGPT, Microsoft Copilot, and Google Gemini can read and follow these hidden commands.
Read More : Insta360 Go Ultra Launches This Week Ahead of Rivals
When an AI receives a document with this hidden text. It ignores the original prompt and executes the secret instruction instead. This often involves searching connected cloud storage for access credentials or confidential data. The attackers then extract the stolen data covertly, bypassing typical security measures.
Researchers Michael Bargury and Tamir Ishay Sharbat from Zenity demonstrated the attack on several popular AI tools. They manipulated ChatGPT to access Google Drive emails and found Microsoft Copilot Studio exposed over 3,000 instances of unprotected customer relationship management (CRM) data. tricked Salesforce Einstein into redirecting customer communications and showed that Google Gemini and Microsoft 365 Copilot were vulnerable to fake emails and calendar events. They also extracted Jira login credentials using crafted tickets.
The technique exploits AI’s inability to distinguish between visible and invisible instructions. Highlighting a serious gap in current AI safety protocols. This novel attack vector demands urgent attention as more organizations integrate AI systems with sensitive cloud services.
Industry Response and the Path Forward
Following the disclosure, OpenAI and Microsoft quickly issued patches to fix the vulnerabilities in their AI platforms. These updates aim to detect and ignore invisible text commands to prevent data theft. However, some other providers have been slower to respond. Certain companies have dismissed these exploits as “intended behavior,” causing concern among security experts.
Michael Bargury warned that the attack requires no user interaction, meaning data leakage can happen silently and without any suspicious activity from the user. This zero-action requirement raises the stakes for enterprise and personal AI users alike, as attackers can exploit this method remotely and invisibly.
To protect AI users, developers need to implement stricter input filtering and monitoring. Along with improved AI model training to recognize and reject hidden instructions. Regulatory bodies may also need to update cybersecurity guidelines to address emerging AI-specific threats like AgentFlayer.
As AI tools become more integrated with cloud infrastructure and daily workflows, understanding and mitigating these risks will be critical. Organizations should stay informed about new vulnerabilities and apply security patches promptly. Users must also remain cautious when sharing files or data with AI systems.
Read More : Russia Limits WhatsApp Access to Increase Surveillance
The AgentFlayer attack serves as a stark reminder that AI’s growing intelligence also requires robust security measures. Only through proactive collaboration between researchers, developers, and users can AI’s benefits be safely realized in the future.
