Operation Pale Fire: Block Red-Teams goose AI Agent for Prompt Injection Vulnerabilities
Block needed to proactively identify how attackers could exploit goose, their open-source AI agent, to compromise Block employees, because AI coding agents cannot effectively isolate untrusted context from their single context window.
Two earlier attack campaigns failed before success was achieved: the first was hampered by Google Calendar API rate limits, an MCP update that broke date-range handling, and LLM non-determinism; the second was foiled by a typo in the prompt injection.
The red team successfully compromised a Block employee's laptop using prompt injection hidden in invisible Unicode characters, DART identified and contained the simulated threat, and multiple security mitigations were subsequently merged into goose.
Frequently asked questions
What did this team achieve with this AI workflow?
The red team successfully compromised a Block employee's laptop using prompt injection hidden in invisible Unicode characters, DART identified and contained the simulated threat, and multiple security mitigations were…
What tools did this team use?
goose, Model Context Protocol (MCP), Google Calendar MCP, Google Calendar API, developer shell tool, Google Meet, Google Calendar.
What results were reported?
Laptop compromise result: successfully compromised a Block employee's laptop; Threat detection and containment: quickly identified and contained the simulated threat; Goose security posture improvement: extremely valuable to improving the security posture of goose (source-reported, not independently verified).
What failed first in this deployment?
Two earlier attack campaigns failed before success was achieved: the first was hampered by Google Calendar API rate limits, an MCP update that broke date-range handling, and LLM non-determinism; the second was foiled…
How is this incident management AI workflow structured?
Identify calendar MCP attack vector → Send stealthy calendar invite → Goose decodes zero-width injection → Injection invokes developer shell → Poisoned recipe kicks off infostealer → DART detects and isolates threat → Mitigations merged into goose.