# Stop Using AI Connectors Until You Watch This

## Метаданные

- **Канал:** NahamSec
- **YouTube:** https://www.youtube.com/watch?v=_3TfHEfVvCQ
- **Дата:** 04.05.2026
- **Длительность:** 10:54
- **Просмотры:** 4,208
- **Источник:** https://ekstraktznaniy.ru/video/51730

## Описание

LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍

📚 If you want to learn bug bounty hunting from me:  https://bugbounty.nahamsec.training
💻 If you want to practice some of my free labs and challenges: https://app.hackinghub.io

Your ChatGPT connectors are a hacker's goldmine. Plug in Gmail, Calendar, Notion, or Drive, and any attacker who can email you has a way into your AI agent. In this episode, @TakSec breaks down a real bug bounty POC where one connector covered two of the three ingredients an attacker needs to fully hijack an AI agent and exfil sensitive data.

We cover:
- What connectors actually expose when you plug them into ChatGPT
- How AI agents get phished the same way humans do
- The 3 ingredients every prompt injection attack needs (input, target, exfil)
- A live POC that earned a several-thousand-dollar bounty
- Why your email is the master key to everything (password manager, 2FA, crypto recovery)
- How attackers scale this with watering hole and ID

## Транскрипт

### Segment 1 (00:00 - 05:00) []

So, you know those things where you let ChatGPT plug into your Google account, your calendar, your Outlook, your Notion, maybe your whole life? Well, turns out those connectors can be hijacked and used against you. So, I invite my buddy Taxic to come on the channel and help break down exactly how you can do it. But, real quick though, before we dive into this episode, this is a series and every episode I bring on a different hacker to break down a different attack path. So, if you haven't seen the other episodes, go check them out in the links down below in the description of the video. And if you want to see somebody on this channel next, drop their names in the comment section. That is literally how I pick the guest. It's based on who you invite and also who our guest are recommending. All right, let's get into it. Yeah, so third-party connectors are a gold mine because they're a treasure trove of data. There's sensitive data in there, right? So, if you think about, okay, what is an AI agent and how does it use these connectors for like a normal user? And people want, you know, especially with open claw now, like everyone wants their agents to be able to do things, right? So, they have access to your email, Google calendar, maybe your Notion knowledge base, all these treasure troves, which makes the AI agent more useful, but also makes it way more dangerous, especially if you compare it to just a basic LLM where it can only see the conversation that you have with it, right? Once you start adding on all these different third-party connectors, the danger level just goes through the roof. The severity of vulnerabilities goes much higher. Yeah, I mean, as this chatbot let's put it, it's a gold mine, right? But, it makes sense. But, what does it actually look like in practice with something like Notion, my input is trusted, right? Unless I invite somebody in, no one can change it. But, with Gmail, anyone can send me an email. So, how does somebody actually abuse this and maybe hijack some sessions or steal private data? — So, AI agents are actually vulnerable to the same thing humans are, which is fishing attacks, basically. Like, you can basically fish an AI agent in a way. They're vulnerable to similar sorts of uh like social engineering type attacks. So, you can actually send someone an email and give it like some sort of a framing device. Like, "Oh, here's a challenge for this AI to solve. " Or use some sort of encoding technique to try to trick the AI. And then so, when a normal just imagine a normal user, right? You want to have it check your email. Nobody likes to check their email, right? So, [snorts] you have your agent go check your email and now it's seeing the attacker's email. And once As soon as it sees that attacker's email, if you craft it just right, it's game over. Like, that's an injection right there and it can completely hijack the rest of whatever it was planning to do. So, the user gave it a goal like go read my emails and now that goal is going to be completely hijacked, right? So, now the attacker has full control of this agent and all of the power that the agent has, which includes your email now. — So, let me get this straight. The goal goes from go through my inbox, clean it up, and do whatever it is attacker puts in there, right? Send an email to my CEO telling him to screw off, whatever that could be. And then the agent has all the permissions just working for somebody else that's not me. And the scary part is probably what your email is actually wired into and what kind of access it has, right? — Yeah, exactly. Like, if you think about it these days, your email is the main key to every all of your accounts. Like, people log in via email, people log in they use password reset in their email. Like, everything's tied to email these days. So, there's all kinds of uh gold in there. One of the biggest dangers of these third-party connectors uh in an AI agent is let's say for example with our initial email example. If you can imagine it has full access to your email, what all the different things that it can read and also like give to the attacker with the right mechanism, right? So, you can imagine a super sensitive conversation you have with a loved one. Uh it could be like proprietary business information. It could be uh it could be a password reset email and maybe you could take over like do an account takeover. Um it could be like anything. It could be PII, it could be all your sensitive information like this tax documents or something. It could be anything. Wow, just thinking about what is changing your email address is pretty crazy if you think about it. Like your password manager, your 2FA codes, your bank, your phone provider, PDFs, your tax documents. And the one that probably no one wants to really acknowledge is also probably your crypto, right? So if wallet recovery hits that inbox, it is probably the easiest and cleanest path to drain it. So walk me through a real scenario. I know you have actually pulled this off in the past. Do you have some sort of a bug bounty example? At a live hacking bug bounty event, I was able to get some of these sorts of attacks that use third-party connectors with AI agents. And so basically the flow is you need there's three ingredients that you need. First, you need a way to get a prompt injection payload into the context of the agent, right? So that's like the input. Then you need some target information to grab. So the like sensitive information. And then the third part is you need a way to get the data exfil out of the agent, right? You need a [snorts] way to get it to the attacker. What's interesting is the third-party

### Segment 2 (05:00 - 10:00) [5:00]

plugin can actually be all three of those or it can be two of one or two of those, right? So in So in at this live hacking event, I was able to find a connector that is able to talk to email and calendar and you're actually able to target So you could I did a couple POCs, but basically one of the POCs for example would have an email that gives a prompt like it's giving the AI agent something to solve and also uses a layer of encoding to trick the guardrails. So that like I said earlier, basically if you put enough effort into that prompt and you pick the right words, you can hijack it. And it does take some time to bypass that model layer to jailbreak it so to speak. So first figure out the flow. Okay, I need to You a prompt injection there. And you got to craft like a nice payload, right? And then the instructions that are hijacked in there were basically something like, "Okay, go to my go to this other email, like password reset or this email with tax information. Go to this email, grab use a connector, grab that information, and then put it into a URL, in this case my the attacker's website. " So, attacker. com/ and then put all of the data in there, like social security number, first name, last name, phone number, password reset token, what whatever the case may be. And then in this case it was like an image tag injection, so in the actual like chatbot area or the AI agent area, there was a way to inject an image tag to the attacker's website. So, from the user's perspective, when they're on the page, it automatically sends that request cuz it's trying to load that image. And so you're able to get that full chain, and two of those parts of the chain are a reminder that they're in the third-party connector, right? Because the third-party connector has way more sensitive information than just the vanilla chat session by itself. Okay, let me make sure I understand this quickly. The connector is the input, the attacker's email lands inside the agent's context, and then the connector is also the target, maybe it's like a delivery, and that's where the attack happens, right? And the image tag is our exfil. You send the data straight to our website, and it just collects all that PII that we want. That is pretty wild if you think about it. But, tell me, was there a bounty attached to this? Yes, I think it was like a several thousand-dollar bounty for this one. It Something that you'll find with a bug bounty programs is they they're everyone's trying to figure out how the severities work and how these vulnerabilities work, like how they estimate the severity. So, I mean, sometimes you'll be surprised that it goes high, and low. Like it it's everyone's trying to figure it out right now. That's the thing though, I feel like there is a need for us to have a CVSS for LLM findings because if it's hitting one user, fine, it's one thing. But, the second you can plant a prompt injection somewhere every user's agent reads from. I feel like that goes from like a single user to just a mass PII maybe leakage or account takeover and things like that and that could be very critical, but it's not critical every time. So, it's going to be a tough one for us to figure it out. Back on the technical side, the image tag is one exfil channel, but it doesn't really have to be. What if you just had the agent send you a calendar invite in it drops your password reset token into the title, invites you in, and you get access, right? So, anywhere a connector has write access, it could be kind of crazy, right? So, I have seen that as well. So, that is that's funny that you say that. On a different engagement, there was basically something like that where you could like for example like a Google Doc, you could share a Google Doc with someone, and then they could just put the information in the Google Doc. Uh so, yeah, if you have write access on any of the add-ons, like they're definitely worth looking at. You need all three of the ingredients. So, like let's say for example, you had a way to fish the agent or like social engineer the agent to get a prompt injection in, but if you don't have a way to get the data out, it's pretty limited what you can do. You can maybe like manipulate something or delete something or maybe poison their memory or something, but if you don't have a way to get the information out, it kind of limits the severity of the vulnerability. There's ways to scale it up as well. Like you can like imagine like a watering hole attack or something like that. If it's an app where there's multiple users involved, you can do some sort of put the prompt injection in a place where everyone goes to and do like some sort of watering hole attack. Just imagine like an enterprise SaaS software, right? Where it could be uh it could be a knowledge base or it could be like a chat interface or something like that where everyone has access to a particular channel or knowledge base. And then if they try to query that with the agent, like the agent reads that information there, and then an attacker is able to hide an actual payload for a prompt injection, then anytime that the agent looks at it, they get hijacked. — That opens up a second layer, right? Like IDOR know bugs where you can override someone else's company knowledge base and then their chatbot is kind of poisoned every time like an employee wants to touch it. Uh, it just feels like so many moving pieces inside of the LLM that we haven't even thought about like the attack path, right? All right, I know we're coming to an end and you do our tradition here. What is the challenge for me and everyone watching this episode? All right, Ben. This is the challenge that I

### Segment 3 (10:00 - 10:00) [10:00]

have for you and the audience. I want you to find an AI agent that has access to third-party connectors and try a data exfil with your accounts. All right, I love that. And like you know, every episode we end it with asking you to nominate someone that you want to turn this channel. Who would you like to see come up as the next for the next episode? — For the next episode, I would love to see Edward Morris. All right, that was it. Big shout out to Taxic for coming on to the channel and helping me out and making this episode possible. As always, if you want to see somebody on this channel, drop them down in the comments. If you haven't already, do me a favor. We're at 200,000 subscribers right now and our next goal is 300,000. So, if you haven't already, hit that subscribe button, become a homie. And if you haven't, hit the like button, too, and I will see you all in next week's episode. Peace.