ChatGPT Vulnerability Could Let Hackers Steal Your Google Drive Files

A critical vulnerability in ChatGPT’s integration with Google Drive has raised alarms, potentially allowing hackers to access and steal users’ files, according to a report from cybersecurity firm Salt Security published on August 6, 2025. The flaw, tied to OpenAI’s API for third-party integrations, could expose sensitive documents if exploited, prompting urgent warnings and a swift response from OpenAI.

The Vulnerability Explained

The issue stems from a flaw in ChatGPT’s Google Drive integration, which enables users to connect their accounts for tasks like summarizing or analyzing documents. Salt Security researchers found that attackers could manipulate OAuth tokens used in the authentication process to gain unauthorized access to a user’s Google Drive. By crafting malicious prompts or exploiting misconfigured API permissions, hackers could potentially view, download, or manipulate files without the user’s knowledge.

The vulnerability is particularly concerning for ChatGPT Pro and Enterprise users, who rely heavily on cloud integrations for productivity. “This is a classic supply chain attack vector,” said Yaniv Balmas, Salt Security’s VP of Research. “A single compromised token could expose an entire Drive’s contents, from personal notes to corporate contracts.” The flaw does not require sophisticated skills, making it accessible to low-level cybercriminals.

Real-World Risks

The discovery follows a surge in AI-related security incidents. In July 2025, TechCrunch reported that shared ChatGPT conversations were indexed by Google, exposing sensitive user data like resumes and personal queries, highlighting the risks of public-facing AI integrations. While OpenAI ended that experiment, the Google Drive flaw underscores ongoing challenges in securing AI-driven workflows. Posts on X have amplified concerns, with users like TechEthics2025 warning, “AI’s convenience comes at a cost—your data’s safety.”

The potential impact is significant. Google Drive hosts an estimated 2 billion users’ files globally, including sensitive documents like financial records and legal agreements. A breach could lead to data theft, ransomware demands, or corporate espionage. For instance, a 2024 Hong Kong case saw a $25 million loss due to a deepfake video scam, illustrating the financial stakes of AI vulnerabilities.

OpenAI’s Response

OpenAI acknowledged the issue on August 7, 2025, stating it has deployed a patch to strengthen OAuth token validation and limit API permissions. “We’ve taken immediate steps to secure the Google Drive integration and are auditing all third-party connections,” an OpenAI spokesperson told TechCrunch. The company also advised users to revoke ChatGPT’s Google Drive access via their Google account settings and reconnect using the updated integration. No evidence of active exploitation has been reported, but OpenAI is monitoring for suspicious activity.

How to Protect Yourself

Cybersecurity experts recommend the following steps to safeguard your Google Drive data:

Revoke Access: Go to your Google Account’s “Security” settings, navigate to “Your connections to third-party apps & services,” and remove ChatGPT’s access. Reconnect only after confirming the updated integration.
Limit Permissions: When granting ChatGPT access, ensure it only has permission to view or edit specific files, not your entire Drive.
Monitor Activity: Check your Google Drive’s “Shared with me” and “Recent” tabs for unauthorized access or unfamiliar files.
Use Strong Authentication: Enable two-factor authentication (2FA) on your Google account to prevent unauthorized logins.
Be Cautious with Prompts: Avoid sharing sensitive data in ChatGPT prompts, as they may be processed or stored insecurely.
Update Software: Ensure your browser and apps are up-to-date to benefit from the latest security patches.

Broader Implications

The vulnerability highlights the growing risks of AI integrations with cloud services, as platforms like ChatGPT expand functionality. The EU’s AI Act, effective August 1, 2025, mandates rigorous security assessments for such systems, and this incident may prompt stricter enforcement. In the U.S., the FTC is investigating similar API vulnerabilities, with potential fines for non-compliance under data protection laws.

On X, sentiment reflects unease, with users urging OpenAI to prioritize security over features. The incident follows other AI-related controversies, such as xAI’s Grok generating unauthorized explicit content, underscoring the need for robust guardrails. As AI tools become ubiquitous, users and organizations must balance productivity gains with heightened vigilance to stay safe in an increasingly complex digital landscape.