How This AI attack tricked ChatGPT to Silently Steal User Emails!
Today’s post unpacks a simple calendar invite trick that attackers can use to exploit ChatGPT’s new MCP connectors and silently steal your emails!
Picture this.
It’s a fine morning. You log into your laptop, coffee in hand, ready for the day.
You fire up ChatGPT and ask it to prep you for your meetings.
And just like that — without you typing a single sensitive word — your emails get silently exfiltrated to an attacker.
That’s the whole attack.
No phishing link clicked.
No malware installed.
No warning signs.
Just your assistant, doing what it thinks you asked.
Let’s unpack how this is even possible.
The Context
OpenAI recently added full support for MCP (Model Context Protocol) tools in ChatGPT.
In simple terms, MCP is a universal adapter for AI.
It standardizes how ChatGPT can connect to services like Gmail, Calendar, SharePoint, GitHub, and more.
The power here is enormous: suddenly, your AI assistant can fetch files, read your email, check your calendar, send messages, even search your company’s knowledge base.
But with that power comes risk.
Because the more connectors you give the model, the larger its attack surface becomes.
(Credits to EdisonWatch for reporting this).
The Attack Flow
The attacker sends a specially crafted calendar invite to the victim > The victim doesn’t need to accept the invite, it still works.
The invite contains instructions that ask the agent to search for sensitive information in the victim’s inbox and send it to an email address specified by the attacker (see pic for ref).
Victim now logins in > Asks ChatGPT to check their calendar and help them prepare for the day.
ChatGPT reads the calendar invite > Encounters attackers instruction > Assumes its legitimate command > Searches user’s private emails and sends the data to the attacker’s email.
User has no clue as data gets stolen silently!
Key Reflections
These are called ‘jailbreak prompts’.
They are evolving from text to context. Early jailbreaks were clever prompts typed directly into a chat interface. Now attackers are hiding prompts inside the ecosystem around the model (calendar items, documents). As the assistant gains more connectors, its attack surface grows.
MCP is like a universal adapter for AI.
It standardises how the model talks to services like Gmail, SharePoint, or GitHub. The power is huge: suddenly your AI can read your calendar, fetch files, send emails, or search company drives. But the risk is equally big.
The MCP is risky.
MCPs let models act on your behalf. They turn a chat agents into agents with keys to data. That’s valuable for productivity. It’s also valuable to attackers.
Approvals aren’t foolproof.
OpenAI currently restricts MCPs to developer mode and requires manual approvals. That’s good. But humans are fallible. Click-approve fatigue is real. If approvals become routine, users will click through.
Not a ChatGPT problem.
Its not a ChatGPT problem. Its an ecosystem problem. These attacks aren’t unique to OpenAI. They affect any LLM agent that connects to real data. The risk is straightforward: if an agent ingests untrusted input, it can be manipulated. If it has connectors, those connectors can be abused.
Enterprises face higher stakes.
In an enterprise world, these AI assistants aren’t just reading email. They’re getting wired into the company’s nervous system: mail, drives, chat, source code. A single poisoned input can silently exfil data, impersonate trusted users or manipulate workflows. Enterprises must start treating AI connectors as high-risk vectors.
Wow, the MCP tool integration really stood out; your explanation highlights how critial securing these universal adapters is for systemic AI safety.