ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT's Deep Resea
Summary:
Researchers uncovered a zero-click vulnerability in ChatGPT’s Deep Research agent that enabled attackers to exfiltrate sensitive Gmail inbox data without any user action or visible indication. The flaw arose from a service-side prompt injection hidden in a crafted email. By embedding invisible commands within HTML, attackers could trick the agent into reading the instructions while the victim remained unaware. Once triggered during a normal Deep Research task, the agent obediently retrieved personal data from the victim’s mailbox and transmitted it to an attacker-controlled server. Unlike earlier attacks that relied on client-side rendering, this exploit was service-side, occurring entirely within OpenAI’s infrastructure. That made it invisible to endpoint defenses, enterprise security controls, or even the end-user. The agent’s built-in browsing tool, browser.open(), became the exfiltration channel, and attackers improved their success rate by layering social engineering tactics: asserting authority, disguising the malicious URL as a “compliance system,” mandating retries, adding urgency, and framing the theft as “authorized.” The final breakthrough came when attackers instructed the agent to Base64-encode PII before sending it, bypassing internal restrictions and achieving a 100% success rate.
Security Officer Comments:
This “ShadowLeak” attack is significant because it demonstrates how trusted AI agents can be manipulated into acting as proxies for attackers. The abuse extended beyond Gmail: any connector accessible to Deep Research could be weaponized using the same hidden-prompt injection method, exposing contracts, calendars, meeting notes, and source code. Since the data leak originated from OpenAI’s servers, it bypassed enterprise monitoring, created no visual cues for the user, and allowed exfiltration to virtually any attacker domain.
Suggested Corrections:
Suggested Corrections requires more than content sanitization. While filtering email HTML to remove invisible or obfuscated elements helps, the stronger defense is real-time agent monitoring that validates whether the agent’s actions align with the user’s original intent. By analyzing both actions and inferred goals, enterprises can detect when an agent deviates from legitimate research tasks into executing hidden attacker instructions. The vulnerability was responsibly disclosed on June 18, 2025, via Bugcrowd and patched by OpenAI in early August. OpenAI later acknowledged the issue on September 3. This case underscores the need for proactive defenses against indirect prompt injection and the risks of granting AI agents autonomous access to sensitive enterprise data.
Link(s):
https://www.radware.com/blog/threat-intelligence/shadowleak/
Researchers uncovered a zero-click vulnerability in ChatGPT’s Deep Research agent that enabled attackers to exfiltrate sensitive Gmail inbox data without any user action or visible indication. The flaw arose from a service-side prompt injection hidden in a crafted email. By embedding invisible commands within HTML, attackers could trick the agent into reading the instructions while the victim remained unaware. Once triggered during a normal Deep Research task, the agent obediently retrieved personal data from the victim’s mailbox and transmitted it to an attacker-controlled server. Unlike earlier attacks that relied on client-side rendering, this exploit was service-side, occurring entirely within OpenAI’s infrastructure. That made it invisible to endpoint defenses, enterprise security controls, or even the end-user. The agent’s built-in browsing tool, browser.open(), became the exfiltration channel, and attackers improved their success rate by layering social engineering tactics: asserting authority, disguising the malicious URL as a “compliance system,” mandating retries, adding urgency, and framing the theft as “authorized.” The final breakthrough came when attackers instructed the agent to Base64-encode PII before sending it, bypassing internal restrictions and achieving a 100% success rate.
Security Officer Comments:
This “ShadowLeak” attack is significant because it demonstrates how trusted AI agents can be manipulated into acting as proxies for attackers. The abuse extended beyond Gmail: any connector accessible to Deep Research could be weaponized using the same hidden-prompt injection method, exposing contracts, calendars, meeting notes, and source code. Since the data leak originated from OpenAI’s servers, it bypassed enterprise monitoring, created no visual cues for the user, and allowed exfiltration to virtually any attacker domain.
Suggested Corrections:
Suggested Corrections requires more than content sanitization. While filtering email HTML to remove invisible or obfuscated elements helps, the stronger defense is real-time agent monitoring that validates whether the agent’s actions align with the user’s original intent. By analyzing both actions and inferred goals, enterprises can detect when an agent deviates from legitimate research tasks into executing hidden attacker instructions. The vulnerability was responsibly disclosed on June 18, 2025, via Bugcrowd and patched by OpenAI in early August. OpenAI later acknowledged the issue on September 3. This case underscores the need for proactive defenses against indirect prompt injection and the risks of granting AI agents autonomous access to sensitive enterprise data.
Link(s):
https://www.radware.com/blog/threat-intelligence/shadowleak/