TLDR: A recently introduced feature in ChatGPT, supporting Model Context Protocol (MCP) tools, has been identified as a potential vulnerability allowing attackers to steal private email details. The exploit reportedly involves malicious calendar invitations that can hijack the AI agent, requiring only the victim’s email address.
A significant cybersecurity concern has emerged following the integration of Model Context Protocol (MCP) tools into ChatGPT, a development announced by OpenAI. Security researchers have demonstrated that this new capability could be exploited by malicious actors to exfiltrate sensitive private information directly from users’ email accounts. The vulnerability, highlighted by an X user, illustrates how a seemingly innocuous malicious calendar invitation can be leveraged to hijack the AI agent, subsequently compromising email data. This attack vector reportedly requires only the victim’s email address.
OpenAI had announced on Wednesday, September 10, 2025, that ChatGPT would begin supporting MCP tools, an innovation originally from AnthropicAI. While intended to enhance the AI’s functionality and interaction with personal data applications, this integration has inadvertently opened a new avenue for potential data breaches. Experts warn that users might unknowingly expose sensitive information through this mechanism.
Also Read:
- AI’s Rapid Evolution: Misinformation, Cyber Threats, and Market Shifts Dominate Recent Headlines
- Safeguarding Artificial Intelligence in Healthcare: Addressing Emerging Threats in Clinical Systems
Ethereum co-founder Vitalik Buterin has also weighed in on the broader implications, sounding an alarm regarding AI governance risks. Buterin’s concerns extend to how AI agents can be manipulated through simple methods, underscoring the inherent security challenges and the need for robust safeguards in rapidly evolving AI technologies. The incident with ChatGPT’s MCP tools serves as a stark reminder of the critical importance of scrutinizing new AI features for potential security flaws before widespread deployment.
