AI agents are 'gullible' and easy to turn into your minions

Summary

RSA 2026 There's a very simple reason why just about every enterprise AI agent is vulnerable to zero-click attacks, according to Michael Bargury, CTO of AI security company Zenity. "AI is just gullible," Bargury said in an interview with The Register. "We are trying to shift the mindset from prompt injection - because it is a very technical term - and convince people that this is actually just persuasion. I'm just persuading the AI agent that it should do something else." That something else includes persuading Cursor to leak developers' secrets, or Salesforce agents to send all customer interactions to an attacker-controlled server, or ChatGPT to steal Google Drive data. "Even more than that, I can get ChatGPT to manipulate you," Bargury said. "ChatGPT is a trusted advisor. You ask it questions that can be sensitive, you ask it for advice. It can be manipulated to answer whatever I want - and not just in the specific conversation, but long term." Bargury's giving a talk on Monday at RSAC, titled "Your AI Agents Are My Minions," during which he will demo these and other zero-click prompt infection attacks against Cursors, Salesorce, ChatGPT, Gemini, Copilot, Einstein, and their custom agents. He shared his research with The Register ahead of his RSAC presentation, and said it builds on work he's done over the past couple of years - presented at Black Hat and other security conferences - developing working exploits in all of the big AI assistants that require no user interaction. Earlier this month, Zenity disclosed a family of vulnerabilities that allowed attackers to steal local files from someone using Perplexity's Comet browser simply by sending the victim a calendar event. 0-click prompt injection "What we're seeing now is that because agents gain access to data that they can browse at will, this becomes an attack factor that leads to zero-click exploitation," he said. "An attacker goes to the internet, they find a way to target you specifically, they send the p...