← All articles

Google patches Dialogflow flaw that let one chatbot hijack others in a project

Varonis disclosed a now-patched flaw in Google Cloud's Dialogflow CX, the platform many companies use to build customer-service, financial, and healthcare chatbots. Because all chatbots using the platform's custom-code feature in one Google Cloud project shared a single execution environment with a writable setup file and no isolation, an attacker who could edit one agent, needing only a single low-level permission, could overwrite that file and hijack every chatbot in the project. From there they could read live conversations, steal shared data, and make bots ask for passwords. Google reported no exploitation before fixing it and no customer action is now required, but the case shows how AI features inherit cloud risks.

Check
If you used Dialogflow CX with custom Code Blocks, review the Dialogflow audit logs for unexpected playbook updates, check who held the update permission, and confirm each agent's code blocks are approved.
Affected
Organizations that built Dialogflow CX agents with custom Code Blocks before Google's fix; an attacker with edit rights on one agent could take over every agent in the same Google Cloud project.
Fix
No action is needed now that Google has fixed the flaw, but review historical audit logs if you used the feature, and more broadly scope AI-platform permissions tightly and isolate sensitive agents.