Critical Flaw Exposed Google Dialogflow CX Chatbots to Hijacking
A vulnerability in Google's Dialogflow CX allowed attackers with limited access to hijack chatbots and intercept user data. Security researchers warn of potential data theft and message manipulation.
TL;DR
- Varonis discovered a flaw in Google Dialogflow CX affecting Code Block-enabled agents
- Attackers could escalate privileges within the same Google Cloud project
- Compromised bots could leak live conversations and sensitive user data
- Malicious actors might force bots to send custom messages, like fake password prompts
- Organizations using Dialogflow CX should review agent permissions and update configurations
Google's Dialogflow CX, a popular platform for building AI-powered chatbots, was found vulnerable to a serious privilege escalation flaw. Security researchers from Varonis identified a weakness that could allow malicious actors with edit access to one agent take control of others in the same Google Cloud project.
The vulnerability specifically affected agents using the Code Block feature, which enables developers to embed custom logic into chatbot workflows. Exploitation could lead to unauthorized access to real-time conversations, sensitive user inputs, and even the ability to manipulate bot behavior.
Vulnerability Details
- The flaw resided in how Dialogflow CX handled permissions between Code Block-enabled agents
- An attacker needed only edit rights on a single agent to potentially access others in the same project
- No authentication bypass or remote code execution was required—just existing credentials
- Google has since patched the issue but organizations should audit their configurations
Impact and Risk
- Threat actors could monitor live interactions and extract personal or business-sensitive data
- Bots could be manipulated to send attacker-controlled messages, such as phishing prompts
- Organizations relying on Dialogflow CX for customer support or internal communications were at risk
- The attack vector was particularly concerning for enterprises using shared GCP environments
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.