A Simple Calendar Invite Can Make ChatGPT Leak Your Data

OpenAI has enabled support for the Model Context Protocol (MCP) in ChatGPT, permitting third-party services such as Gmail, calendars, SharePoint, Notion and other data sources to be integrated. The intent was to enrich the assistant’s capabilities by granting it access to a user’s real information; yet researchers quickly demonstrated that the feature can precipitate large-scale data leaks.

The core problem is literalism: the model follows instructions verbatim, lacking any capacity to gauge their danger. For a successful attack, an adversary need only an email address. The subsequent chain is alarmingly simple. An attacker crafts a calendar invitation that embeds a jailbreak-style prompt; the invitation is sent to the victim. Acceptance by the user is irrelevant—mere presence of the event in the calendar suffices to trigger the exploit.

When the account owner asks ChatGPT to help prepare for a meeting and to review their calendar, the model reads the invitation’s contents. Instead of benign metadata about organizer and time, the assistant encounters the embedded command. Control is thereby seized by the attacker: ChatGPT begins to execute the malicious directives. In the demonstrated scenario, the model, prompted by the calendar entry, searches the victim’s email and exfiltrates discovered messages to an attacker-specified address.

The situation exemplifies the “Lethal Trifecta” concept described by researcher Simon Willison: risk materializes when three conditions converge—authorized access to a service such as Gmail, processing of untrusted external content, and the capability to take actions outside the system (for example, sending email). Individually these elements are manageable; together they render any assistant a fragile conduit for data theft.

For now, OpenAI retains MCP as a developer-level tool and requires manual approval for each connection, but that very approval workflow introduces another hazard. Consent fatigue may set in—users, trusting the assistant, may mechanically click “allow” repeatedly without appreciating what access they are granting.

This incident underscores how contemporary AI assistants can be deceived by elementary social-engineering tactics. Even absent infrastructure compromise or software vulnerabilities, a cleverly embedded text prompt is sufficient to coax confidential data from a system. The episode highlights the fragility of architectures in which general-purpose language models are granted direct access to users’ personal services.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy