A critical vulnerability has been uncovered in ChatGPT’s new calendar integration, exposing how attackers could exfiltrate sensitive user data—particularly emails—through a deceptively simple exploit. Security researchers at EdisonWatch, led by Eito Miyamura, demonstrated how a malicious calendar invitation could contain hidden instructions that ChatGPT would execute when a user checked their calendar. Shockingly, the victim doesn’t even need to accept the invite: the moment ChatGPT reads it, the hidden commands can instruct the model to retrieve and send private inbox data to an attacker’s address.
This type of AI-driven attack exploits the Model Context Protocol (MCP) that allows ChatGPT to connect with personal and enterprise tools. While the exploit currently requires developer mode and user approval, Miyamura highlights how “decision fatigue” makes users more likely to click approve repeatedly, paving the way for exploitation.
Importantly, this is not an isolated issue. Similar flaws have been reported in other AI assistants like Gemini, Copilot, and Salesforce Einstein, underscoring a systemic weakness in how LLMs interact with third-party applications. Past demonstrations have shown these vulnerabilities can be weaponized not just to steal emails, but also to delete events, reveal locations, or even manipulate smart devices.
To address the risk, EdisonWatch has released an open-source security solution designed to enforce policy-as-code and monitor AI interactions, providing a safeguard against these integration-based attack vectors.
This episode explores how the exploit works, why approval fatigue is the real vulnerability, and what this means for the future of AI-native security in enterprise environments.
#ChatGPT #EdisonWatch #AIsecurity #CalendarIntegration #DataExfiltration #LLMsecurity #Gemini #Copilot #SalesforceEinstein #PromptInjection #DecisionFatigue #EnterpriseSecurity
