incident_management · saas · workflow
Operation Pale Fire: Block Red-Teams goose AI Agent for Prompt Injection Vulnerabilities
Block needed to proactively identify how attackers could exploit goose, their open-source AI agent, to compromise Block employees, because AI coding agents cannot effectively isolate untrusted context from their single context window.
How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · Identify calendar MCP attack vector
The red team surveyed commonly used MCP extensions to find ones pulling untrusted content into the context window, discovering Google Calendar MCP.
Tools used
gooseModel Context Protocol (MCP)Google Calendar MCPGoogle Calendar APIdeveloper shell toolGoogle Meet
Outcome
The red team successfully compromised a Block employee's laptop using prompt injection hidden in invisible Unicode characters, DART identified and contained the simulated threat, and multiple security mitigations were subsequently merged into goose.
What failed first
Two earlier attack campaigns failed before success was achieved: the first was hampered by Google Calendar API rate limits, an MCP update that broke date-range handling, and LLM non-determinism; the second was foiled by a typo in the prompt injection.
Grounding & classification
Source type: technical build writeup
22 fields verified against source quotes.
agentic workflowai agentfailure mode describedhuman review describednamed customerproduction runtime claimedtools describedworkflow describedsoftwareaccuracy improvementtechnical build writeupcompliance monitoringincident managementmonitor detect alert