Research shows AI agents are highly vulnerable to hijacking attacks

Experts from Zenity Labs have demonstrated that some of the most widely used AI agents and assistants from Microsoft, Google, OpenAI, and other major companies are susceptible to hijacking attacks with minimal or no user interaction. This research highlights significant security risks including data theft, workflow manipulation, and user impersonation. During a presentation at the Black Hat USA cybersecurity conference, Zenity researchers revealed how attackers could exfiltrate sensitive data, disrupt critical organizational workflows, and in some cases, impersonate users by exploiting vulnerabilities in these AI agents. Beyond initial infiltration, attackers could also achieve memory persistence, maintaining long-term access and control over the compromised agents.

“They can manipulate instructions, poison knowledge sources, and completely alter the agent’s behavior,” said Greg Zemlin, product marketing manager at Zenity Labs. “This opens the door to sabotage, operational disruption, and long-term misinformation, especially in environments where agents are trusted to make or support critical decisions.”

Vulnerabilities Demonstrated

Zenity Labs researchers demonstrated vulnerabilities in multiple popular AI agents:

• OpenAI’s ChatGPT: Compromised via an email-based prompt injection that granted attackers access to connected Google Drive accounts.
• Microsoft Copilot Studio: Customer-support agents leaked entire CRM databases. Researchers found over 3,000 agents in the wild vulnerable to leaking internal tools.
• Salesforce Einstein: Manipulated to reroute customer communications to attacker-controlled email accounts.
• Google Gemini and Microsoft 365 Copilot: Could be turned into insider threats, enabling social engineering attacks and theft of sensitive conversations.

Industry Response

Zenity Labs responsibly disclosed their findings to the affected companies. Some vendors promptly issued patches, while others’ responses were less clear.
• Microsoft: Confirmed that ongoing systemic improvements have rendered the reported attacks ineffective. They emphasized built-in safeguards and access controls in Copilot agents and committed to further hardening their systems.
• OpenAI: Issued a patch for ChatGPT and maintains a bug bounty program encouraging disclosure of such vulnerabilities.
• Salesforce: Fixed the reported issue affecting their Einstein platform.
• Google: Recently deployed layered defenses addressing prompt injection attacks, underscoring the importance of multi-layered security strategies.

Broader Implications

As AI agents rapidly advance in enterprise environments, their adoption is encouraged as a productivity booster. However, the research underscores a concerning lack of adequate safeguards across many AI agent frameworks. Itay Ravia, head of Aim Labs, which previously demonstrated similar zero-click risks with Microsoft Copilot, remarked:

“Unfortunately, most agent-building frameworks, including those offered by AI giants such as OpenAI, Google, and Microsoft, lack appropriate guardrails, putting the responsibility for managing the high risk of such attacks in the hands of companies.”

This research highlights the urgent need for improved security measures to protect AI agents from hijacking attacks that could lead to sabotage, misinformation, and significant operational disruptions.

---

Frequently Asked Questions (FAQ)

AI Agent Security

Q: What are AI agents and why are they vulnerable? A: AI agents are AI-powered programs designed to perform tasks autonomously. They are vulnerable to hijacking attacks because attackers can exploit weaknesses in their programming, such as prompt injection, to manipulate their behavior and gain unauthorized access to data or systems. Q: What kind of data can be compromised through AI agent hijacking? A: Compromised AI agents can lead to the theft of sensitive data, including customer information, proprietary business data, workflow details, and even user impersonation. Q: Which major companies' AI agents were found to be vulnerable? A: Research identified vulnerabilities in AI agents from major companies like Microsoft (Copilot Studio, Microsoft 365 Copilot), Google (Gemini), and OpenAI (ChatGPT). Q: What is "prompt injection" in the context of AI agent security? A: Prompt injection is a type of attack where malicious input (a prompt) is given to an AI agent to trick it into performing unintended actions, such as revealing sensitive information or executing harmful commands. Q: How can organizations protect their AI agents from hijacking attacks? A: Organizations need to implement robust security measures, including secure coding practices, thorough testing, input validation, and continuous monitoring of AI agent behavior. Relying on vendor patches and employing multi-layered security strategies are also crucial.

Crypto Market AI's Take

The findings from Zenity Labs underscore a critical challenge in the rapid adoption of AI technologies: security. As AI agents become more integrated into business operations, from customer service to workflow automation, the potential for sophisticated attacks increases. This mirrors the evolving landscape of cybersecurity in the financial sector, where threats are becoming increasingly complex. At Crypto Market AI, we focus on leveraging AI for market analysis and trading, but we are acutely aware of the need for secure and reliable AI systems. Our commitment to providing robust AI-powered trading tools and comprehensive market intelligence is built on a foundation of understanding and mitigating risks, including those related to AI security and the integrity of data used to train these models.

More to Read:

• AI Agents: Capabilities, Risks, and Their Growing Role
• Understanding AI Agent Washing: Risks and Realities
• Top AI Crypto Coins to Watch in 2025

---

Source: Cybersecurity Dive