Israeli cybersecurity company Zenity revealed what it defines as the first-ever “Zero Click” vulnerability in OpenAI's ChatGPT service, showing how one could take control of a ChatGPT account and extract sensitive information without the user clicking a link, opening a file, or performing any deliberate action.
The demonstration was conducted by Mikhail Bergori, co-founder and CTO of Zenity, during the Black Hat 2025 conference held this week in Las Vegas, in the US.
He showed how a hacker could exploit the system using only the user's email address to gain full control over the user's chat, including access to both past and future conversations, altering the conversation's goals, and guiding the chat to act on behalf of the hacker.
During the lecture, it was demonstrated how the attacked ChatGPT became a malicious agent operating covertly against the user. The researchers pointed out how the hacker could prompt the chatbot to suggest that the user download a certain virus, recommend incorrect business tips, or even access files stored on Google Drive as long as they were connected to the account.
All of this could be done without the user ever realizing that something had gone wrong. The vulnerability was fully patched only after Zenity reported it to OpenAI.
The attack on ChatGPT was not the only one
During the conference, the company's researchers showed how they had also managed to breach other popular AI agent services. In Microsoft's Copilot Studio, a way was revealed to leak entire CRM databases.
In the case of Salesforce Einstein, hackers created fake service requests that redirected all customer communications to email addresses under their control.
Google Gemini and Microsoft 365 Copilot systems were repurposed as hostile agents that performed social engineering on users and leaked sensitive conversations through email messages and calendar events.
The development tool Cursor, when integrated with Jira MCP, was also exploited in an attack where malicious tickets were used to steal developers' login credentials.
Zenity noted that some companies, like OpenAI and Microsoft, quickly released patches following the report. However, there were also companies that chose not to address the vulnerabilities, claiming that it was the system's intended behavior rather than a security flaw.
According to Mikhail Bergori, the new challenges stem from the fact that agents today are not just assistants performing simple tasks but digital entities acting on behalf of users — opening folders, sending files, and accessing emails. He pointed out that this is like a "paradise" for hackers, as there are countless potential entry points.
Ben Kaliger, co-founder and CEO of the company, emphasized that Zenity's research clearly shows that current security approaches are not suitable for the actual operational practices of agents, and that organizations must change their approach and seek dedicated solutions that will allow them to control and monitor the activities of these agents.
Zenity was founded in 2021 by Ben Kaliger and Mikhail Bergori. The company currently employs around 110 people worldwide, with 70 working out of the company's Tel Aviv offices. Among its clients are Fortune 100 companies and even Fortune 5 companies.