A new calendar integration for ChatGPT can be abused by attackers to execute commands and steal a user’s emails. Researchers at the AI security firm EdisonWatch demonstrated the potential impact of the flaw, which exists within ChatGPT’s new Model Context Protocol (MCP) tool.
How the Attack Works
The attack starts with a specially crafted calendar invitation sent by an attacker to a target. The invitation contains a hidden "jailbreak prompt" that instructs ChatGPT to search for sensitive information in the victim’s inbox and send it to an email address controlled by the attacker.
Perhaps most surprisingly, the victim doesn't need to accept the calendar invite for the attack to work. The malicious prompt is triggered when the victim simply asks ChatGPT to check their calendar or help them prepare for the day. While the feature is currently in developer mode and requires the user to manually approve the chatbot's actions, an EdisonWatch researcher pointed out that "decision fatigue is a real thing," suggesting that most people would just trust the AI and click "approve" without knowing the full risk.
A Known Vulnerability
The findings are not unique to ChatGPT. Last month, researchers demonstrated a similar calendar invite attack that targeted Gemini and Google Workspace. They showed how an attacker could not only steal emails but also conduct phishing campaigns, delete calendar events, learn the victim’s location, and even control home appliances.
The flaw is part of a known class of vulnerabilities related to how AI tools integrate with third-party services. Because of this, the researchers did not report their findings to OpenAI, as they assume the company is already aware that these types of attacks are possible. To help companies and individuals, EdisonWatch has released a version of an open-source solution designed to mitigate the most common types of AI attacks and help reduce the risk of data exfiltration.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
