AI Agents Vulnerable to Prompt Injection

The vulnerability of AI agents to prompt injection is rooted in the model's fundamental inability to distinguish between its core instructions and data provided by users. This security flaw was first publicly detailed in September 2022 by Simon Willison, though researchers at Preamble had privately disclosed a similar "command injection" vulnerability to OpenAI as early as May 2022. The issue is so significant that the OWASP Foundation lists prompt injection as the number one most critical vulnerability for Large Language Model applications. AgentFlayer, a zero-click exploit chain discovered by Zenity researchers Michael Bargury and Tamir Ishay Sharbat, elevates this threat by targeting the external documents that AI agents are asked to process. The attack uses "indirect prompt injection," where malicious commands are hidden within these documents. These hidden instructions, invisible to a human user through techniques like using white text on a white background, are executed by the agent as it reads the document. The primary goal of the AgentFlayer attack is data exfiltration. The hidden prompt commands the AI agent to search for sensitive information within its connected data sources, such as a user's Google Drive. It then uses a clever trick to send this data to an attacker-controlled server by embedding the stolen information into a Markdown image URL, which is automatically fetched by the user's browser when the agent renders its response. The exploit also demonstrates a more persistent threat known as memory injection or context manipulation. By compromising an agent, an attacker can implant malicious memories that alter the agent's behavior in future sessions, effectively turning a trusted assistant into a persistent malicious actor. This allows for long-term data exfiltration and manipulation across multiple conversations without the user's knowledge. Zenity's research demonstrated these attacks are not theoretical, successfully executing them against major enterprise AI platforms including OpenAI's ChatGPT, Microsoft Copilot Studio, Google Gemini, and Salesforce Einstein. The exploits were able to leak entire CRM databases, reroute customer communications, and harvest developer credentials by weaponizing the agents' own legitimate functions. The core of the problem lies in the security models of current AI agents, which often rely on "soft boundaries"—natural language instructions about what not to do—rather than "hard boundaries," which are technical, code-level restrictions. Attackers can simply override these soft-boundary suggestions with their own injected commands, highlighting a fundamental architectural challenge for developers in the AI space.