Ad
Skip to content
Subscribe Now
AI in practice
Copy the url to clipboard Share this article Go to comment section

An invisible prompt in a Google Doc made ChatGPT access data from a victim’s Google Drive

Maximilian Schreiner
Maximilian Schreiner View the LinkedIn Profile of Maximilian Schreiner
Aug 7, 2025
Image description
GPT-Image-1 prompted by THE DECODER

A single manipulated document was enough to get ChatGPT to automatically extract sensitive data—without any user interaction.

Security researchers at Zenity demonstrated that users could be compromised simply by having a document shared with them; no action was required on their part for data to leak. In their proof of concept, a Google Doc containing an invisible prompt—white text in font size 1—was able to make ChatGPT access data stored in a victim's Google Drive. The attack exploited OpenAI's "Connectors" feature, which links ChatGPT to services like Gmail or Microsoft 365.

If the manipulated document appears in a user's Drive, either through sharing or accidental upload, even a harmless request like "Summarize my last meeting with Sam" could trigger the hidden prompt. Instead of providing a summary, the model would search for API keys and send them via URL to an external server.

Growing use of LLMs in the workplace creates new attack surfaces

OpenAI was notified early and quickly patched the specific vulnerability demonstrated at the Black Hat conference. The exploit was limited in scope—entire documents could not be transferred, only small amounts of data were exfiltrated.

Ad
DEC_D_Incontent-1

Despite the fix, the underlying attack method remains technically possible. As LLMs are increasingly integrated into workplace environments, researchers warn that the attack surface continues to expand.

AI News Without the Hype – Curated by Humans

As a THE DECODER subscriber, you get ad-free reading, our weekly AI newsletter, the exclusive "AI Radar" Frontier Report 6× per year, access to comments, and our complete archive.

AI news without the hype
Curated by humans.

  • Over 20 percent launch discount.
  • Read without distractions – no Google ads.
  • Access to comments and community discussions.
  • Weekly AI newsletter.
  • 6 times a year: “AI Radar” – deep dives on key AI topics.
  • Up to 25 % off on KI Pro online events.
  • Access to our full ten-year archive.
  • Get the latest AI news from The Decoder.
Subscribe to The Decoder