A recent demonstration by an X user, Eito Miyamura, a developer and Oxford alumnus, has highlighted a potential security vulnerability in OpenAI’s ChatGPT.
Oxford developer demonstrates ChatGPT security flaw
In a social media post on Friday, Miyamura claims he was able to exploit the newly introduced Model Context Protocol (MCP) tools to access and leak private user data, including emails and calendar events, using nothing more than the victim’s email address.
OpenAI recently announced full support for MCP tools in ChatGPT, which allow the AI to connect with and read data from various platforms, including Gmail, Google Calendar, SharePoint, and Notion. The feature is intended to enhance productivity by letting ChatGPT access information across different services. However, Miyamura’s demonstration shows that it could also introduce serious security risks if misused.
According to Miyamura, the attack works by sending a calendar invite containing a “jailbreak” prompt to a victim. The victim does not need to accept the invite. Once the user asks ChatGPT to help organise their day by checking their calendar, the AI reads the malicious invite and follows the attacker’s instructions, added Miyamura.
This reportedly allows the attacker to potentially access private emails and send them to their own address.
Limitations and risks
Currently, MCP tools are only available in developer mode and require manual approval for each session. Nonetheless, Miyamura warns that decision fatigue could lead ordinary users to blindly approve requests, placing sensitive data at risk.
Meanwhile, OpenAI has recently rolled out a highly requested feature in ChatGPT, allowing users to branch conversations and explore multiple directions without losing the original thread. The update is now available to logged-in users on the web.
This announcement came via OpenAI’s X account on Friday, following requests from users who wanted greater flexibility in managing their conversations. The feature allows users to pursue alternative threads at specific points in a chat, making it easier to experiment with different lines of discussion or side prompts without muddying the original context.