The safety researcher showed how a malicious invitation to the Google calendar can monitor ChatgPT and persuade him to leaks private e-mails after switching on Google connectors. In the onx post, September 12, Eito miyamura He will stand up a plain scenario: the attacker sends an invitation to the calendar vaccinated with instructions and waits for the goal of ChatGPT and ask him to perform the action. ChatgPT then reads the event trapped in Booba and follows the order to search Gmail and comply with confidential details. “Everything you need? E -mail address of the victim,” says Miyamura.
In mid -August, Opeli introduced Native Gmail, Google Calendar and Google Contacts in ChatgPT, initially for Pro users, and then to Plus, with notes from the version stating that the assistant can automatically refer to these sources at the chat after authorization. It means free: “What’s in my calendar today?” It can download data directly from the Google account without an explicit selection of the source each time.
We have chatgpt to leak private data e -mail 💀💀 all needed? E -mail address of the victim. ⛓️💥🚩📧 On Wednesday, @OPenai added full support for MCP tools (model Context Protocol) in ChatgPT. Enabling chatgpt to connect and read gmail, calendar, SharePoint, concepts, … pic.twitter.com/e5vuhzp2U2September 12, 2025
What is happening under the hood is an indirect brisk injection. The attacker’s instructions are hidden in internal data that the assistant can read – in this case the text of the calendar event. In August, scientists showed how the compromised invitation can direct Gemini Google to control devices of clever houses and leaks, work, which has been documented both in security records and an article entitled “The invitation is all you need”. Technical techniques vary depending on the platform, but the basic risk is the same when the assistant can read the endangered content of the calendar.
Ultimately, nothing happens, unless for the first time you combine Gmail and a calendar in chatgpt, and the behavior of the assistant still depends on the rules and hints of Otnai applies when he consumes the content of third parties. The documentation also notes that you can disconnect sources or turn off automatic exploit, which limits the possibility of violating the event for routine chat.
If you are worried, the most effective amendment is on the Google side. Change the “automatically Add invitations” setting of the Google calendar, so only invitations from known broadcasters or those you accept, appear on the calendar, and consider hiding the refusal of events. Google support pages undergo these options in detail, and Google’s administrators can set a safer default organization.
It is not the case that chatgpt or gmail has been “hacked”, but this artificial intelligence of tools is extremely susceptible to hostile instructions lurking in the data you allow. Connectors that make the assistants a bit useful also expand the surface of the attack on calendars and inboxes. Until the industry is a stronger, default defense against an indirect quick injection, the safest direction of action is conservative that you connect, and in this particular scenario block the calendar so that the strangers cannot surprise.
Follow Tom’s equipment in Google NewsOr Add us as a preferred sourceTo get current messages, analysis and reviews in your channels. Click the Fight button!
