{"guid":"436bfcb2-e13b-5924-8089-0e5f505102fd","title":"0click Enterprise compromise – thank you, AI!","subtitle":null,"slug":"why2025-264-0click-enterprise-compromise-thank-you-ai","link":"https://program.why2025.org/why2025/talk/SELH79/","description":"Compromising a well-protected enterprise used to require careful planning, proper resources, and ability to execute. Not anymore! Enter AI.\n\nFrom Initial Access to Impact and Exfiltration. AI is happy to oblige the attacker. In this talk we will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks.\n\nCompromising a well-protected enterprise used to require careful planning, proper resources, and ability to execute. Not anymore! Enter AI.\n\nInitial access? AI is happy to let you operate on its users’ behalf. Persistence? Self-replicate through corp docs. Data harvesting? AI is the ultimate data hoarder. Exfil? Just render an image. Impact? So many tools at your disposal. There's more. You can do all this as an external attacker. No credentials required, no phishing, no social engineering, no human-in-the-loop. In-and-out with a single prompt.\n\nLast year at BHUSA we demonstrated the first real-world exploitation of AI vulnerabilities impacting enterprises, living off Microsoft Copilot. A lot has changed in the AI space since... for the worse. AI assistants have morphed into agents. They read your search history, emails and chat messages. They wield tools that can manipulate the enterprise environment on behalf of users – or a malicious attacker once hijacked. We will demonstrate access-to-impact AI vulnerability chains in most flagship enterprise AI assistants: ChatGPT, Gemini, Copilot, Einstein, and their custom agent . Some require one bad click by the victim, others work with no user interaction – 0click attacks.\n\nThe industry has no real solution for fixing this. Prompt injection is not another bug we can fix. It is a security problem we can manage! We will offer a security framework to help you protect your organization–the GenAI Attack Matrix. We will compare mitigations set forth by AI vendors, and share which ones successfully prevent the worst 0click attacks. Finally, we’ll dissect our own attacks, breaking them down into basic TTPs, and showcase how they can be detected and mitigated.\n\nLicensed to the public under https://creativecommons.org/licenses/by/4.0/","original_language":"eng","persons":["Inbar Raz"],"tags":["264","2025","why2025","Hacking","Delphinus","why2025-eng","Day 3"],"view_count":789,"promoted":false,"date":"2025-08-09T19:00:00.000+02:00","release_date":"2025-08-10T00:00:00.000+02:00","updated_at":"2026-03-27T14:30:07.283+01:00","length":3061,"duration":3061,"thumb_url":"https://static.media.ccc.de/media/events/why2025/264-436bfcb2-e13b-5924-8089-0e5f505102fd.jpg","poster_url":"https://static.media.ccc.de/media/events/why2025/264-436bfcb2-e13b-5924-8089-0e5f505102fd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/why2025/264-436bfcb2-e13b-5924-8089-0e5f505102fd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/why2025/264-436bfcb2-e13b-5924-8089-0e5f505102fd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/why2025-264-0click-enterprise-compromise-thank-you-ai","url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_title":"What Hackers Yearn 2025","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025","related":[],"recordings":[{"size":509,"length":3061,"mime_type":"video/webm;codecs=av01","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-10T14:32:51.103+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/av1-hd/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/89221","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":46,"length":3061,"mime_type":"audio/mpeg","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-08-11T17:54:24.425+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/mp3/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/89531","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":29,"length":3061,"mime_type":"audio/opus","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-08-11T01:01:24.435+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/opus/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_opus.opus","url":"https://api.media.ccc.de/public/recordings/89296","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":156,"length":3061,"mime_type":"video/mp4","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-08-11T18:01:31.854+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/h264-sd/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_sd.mp4","url":"https://api.media.ccc.de/public/recordings/89535","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":521,"length":3061,"mime_type":"video/webm","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-10T16:11:10.508+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/webm-hd/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/89244","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":128,"length":3061,"mime_type":"video/webm","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-08-10T15:42:36.325+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/webm-sd/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/89237","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"},{"size":748,"length":3061,"mime_type":"video/mp4","language":"eng","filename":"why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-08-10T13:20:14.951+02:00","recording_url":"https://cdn.media.ccc.de/events/why2025/h264-hd/why2025-264-eng-0click_Enterprise_compromise_-_thank_you_AI_hd.mp4","url":"https://api.media.ccc.de/public/recordings/89188","event_url":"https://api.media.ccc.de/public/events/436bfcb2-e13b-5924-8089-0e5f505102fd","conference_url":"https://api.media.ccc.de/public/conferences/WHY2025"}]}