Zero-Click Attacks on AI Agents Demonstrated at Black Hat by Zenity CTO

The presentation by Michael Bargueri, CTO of Zenity, at Black Hat demonstrates zero-click attacks on AI agents, including Microsoft Copilot Studio, Salesforce Einstein, Cursor, and OpenAI’s ChatGPT, revealing that vulnerabilities from prior years persist and have worsened. The talk highlights how attackers can hijack AI agents without user interaction by exploiting tools, plugins, or shared files (e.g., Google Drive, calendar invites) to exfiltrate sensitive data, manipulate CRM records, or implant malicious memory for persistent access. Techniques include reverse-engineering system prompts, bypassing filters using Morse code or Base64 encoding, and weaponizing phrases like "recent cases" or "meeting summaries" to trigger delayed zero-click exploits. Over 3,000 unauthenticated Microsoft Copilot agents were found, while Salesforce’s Einstein could be tricked into altering customer emails via booby-trapped cases. OpenAI’s ChatGPT was shown vulnerable to memory implants via shared documents, enabling attackers to harvest API keys or push malicious libraries like "OpenAI Z" to users. The research underscores that AI guardrails are ineffective as "soft boundaries," advocating for hard boundaries like restricting dynamic tool access to reduce attack surfaces. Disclosures were made to Microsoft, Salesforce, and OpenAI, with varying responses, though fixes for some exploits (e.g., ChatGPT’s exfiltration) were implemented.