Exclusive: Google patched AI chatbot flaw that could have exposed customer conversations
Add Axios as your preferred source to
see more of our stories on Google.

Illustration: Aïda Amer/Axios
A recently patched flaw in a popular Google Cloud service that powers AI chatbots could've allowed attackers to hijack customer conversations and trick users into handing over sensitive information, according to a Varonis report shared first with Axios.
Why it matters: Companies are increasingly relying on AI chatbots to handle customer service, health care and financial interactions — making flaws in these systems rich targets for attackers.
Driving the news: Varonis found a critical vulnerability in Google's Dialogflow CX platform, which companies use to build AI-powered customer service chatbots and voice assistants.
- The service is widely used to power customer support chats, financial services bots and health care assistants.
- Varonis researchers found that someone who compromised one chatbot could silently monitor conversations, impersonate the bot and, in some cases, interfere with other AI chatbots running in the same Google Cloud project.
Threat level: Users could have been tricked into sharing passwords, insurance information or financial data that attackers could then use in future cyberattacks, Matthew Radolec, field CTO at Varonis, told Axios.
- Varonis initially discovered the issue in November. Google an initial security update in April and fully resolved the issue last month.
Yes, but: Varonis said it found no evidence the vulnerability had been exploited in the wild before it was patched.
- "We appreciate the efforts of researchers like Varonis who disclose their findings through our Vulnerability Reward Program," a Google Cloud spokesperson told Axios in a statement. "The underlying issue has been fully mitigated, and we have no known indication of customer compromise. No customer action is required."
Between the lines: Radolec argues AI tools are being adopted faster than technology companies can fully secure them.
- "This whole concept of 'zero trust' architecture is supposed to be leading the charge in cloud and AI, and this is a case where that was overlooked," he said.
The bottom line: As companies rush to deploy AI, security teams should verify that AI tools are properly isolated and routinely check for exposed credentials.
Editor's note: This story has been updated to clarify that the security patch Google issued last month (after an initial security update in April) resolved the problem.
Go deeper: Companies don't need advanced AI to defend against AI-powered hacks
