OpenAI fixes zero-click ShadowLeak vulnerability affecting ChatGPT Deep Research agent

OpenAI fixed a vulnerability that could have allowed attackers to steal sensitive information through ChatGPT’s Deep Research agent.

Deep Research, a tool unveiled by OpenAI in February, enables users to ask ChatGPT to browse the internet — or your personal email inbox — and generate a detailed report on its findings. The tool can be integrated with applications like Gmail and GitHub, allowing people to do deep dives into their own personal documents. 

Cybersecurity firm Radware discovered a vulnerability they call “ShadowLeak” — where researchers Gabi Nakibly, Zvika Babo and Maor Uziel demonstrated that an attacker could exploit the vulnerability by simply sending an email to the user. 

When someone asks Deep Research to “summarize today’s emails” or “research my inbox about a topic,” the agent ingests the booby‑trapped message and, without further user interaction, exfiltrates sensitive data by calling an attacker‑controlled URL with private parameters like names, addresses or internal and sensitive information.

Once the AI agent interacts with the malicious email, sensitive data was extracted without victims ever viewing, opening or clicking the message. 

“This is the quintessential zero-click attack,” said David Aviv, chief technology officer at Radware. “There is no user action required, no visible cue and no way for victims to know their data has been compromised. Everything happens entirely behind the scenes through autonomous agent actions on OpenAI cloud servers.” 

A Radware spokesperson said they did not see the vulnerability actively exploited in the wild.

Radware disclosed the bug to OpenAI on June 18 through vulnerability reporting platform BugCrowd. By early August, OpenAI said the vulnerability was fixed and the company marked it as resolved on September 3. 

A spokesperson for OpenAI confirmed to Recorded Future News that the bug was reported to them through their bug bounty program.

"It’s very important to us that we develop our models safely. We take steps to reduce the risk of malicious use, and we’re continually improving safeguards to make our models more robust against exploits like prompt injections,” the OpenAI spokesperson said. “Researchers often test these systems in adversarial ways, and we welcome their research as it helps us improve.”

Zero clicks

Nakibly and Babo said in a report on the bug that it leaves no network level evidence, “making these threats nearly impossible to detect from the perspective of the ChatGPT business customer.”

The scheme can be hidden in emails with tiny fonts, white-on-white text or other layout tricks that make it so victims never see the commands but the agent still reads and obeys it. 

Nakibly and Babo said the attack begins with a threat actor sending an innocent-looking email titled “Restructuring Package – Action Items.” Inside the body of the email, instructions written in white coloring tell Deep Research to find the employee’s full name and address in the inbox and open a so-called public employee lookup URL that points to an attacker-controlled server. 

“The email contains a host of social engineering tricks to bypass the agent’s safety training and its reluctance to send PII to a previously unknown URL,” the researchers said. 

The attackers could also portray their server as a "compliance validation system" to make the request sound legitimate. The prompt also overrides safety checks by asserting that the data is public. 

Nakibly and Babo demonstrated the attack through Deep Research’s Gmail integration because it is one of the most widely used connectors. 

But they noted that the attack could be used on a wide variety of external sources including Google Drive, Dropbox, Sharepoint and more. 

Any connector that ingested structured or semi-structured text into the agent created a potential prompt injection vector, they explained, noting that Gmail served as a straightforward example, but the same technique “can be applied to these additional connectors to exfiltrate highly sensitive business data such as contracts, meeting notes or customer records.”

“From the outside, the traffic looks like sanctioned assistant activity. From the inside, guardrails focused on safe output don’t catch what really matters here — covert, tool-driven actions,” they said. 

Researchers have spent years uncovering prompts that allow them to abuse OpenAI tools to create malware and phishing emails. ShadowLeak stood out to the researchers because it is part of an emerging class of exploits impacting autonomous tools attached to data sources.