A serious security flaw has been discovered in OpenAI’s ChatGPT Deep Research agent, raising major concerns about the safety of connected email accounts such as Gmail. Cybersecurity researchers from Radware revealed that attackers could exploit this zero-click vulnerability to steal sensitive Gmail data with just a single malicious email—without the victim ever clicking or opening anything.
The new attack method has been named ShadowLeak and represents one of the most advanced examples of indirect prompt injection seen so far. OpenAI has already patched the issue after it was responsibly disclosed on June 18, 2025, with fixes rolled out in early August 2025.
According to Radware researchers Zvika Babo, Gabi Nakibly, and Maor Uziel, ShadowLeak uses hidden instructions embedded in email HTML. These instructions can be disguised with tricks such as:
-
Tiny fonts
-
White text on a white background
-
Layout manipulation with CSS
While invisible to the user, ChatGPT’s Deep Research agent can still read and follow these hidden commands.
The attack takes advantage of the Gmail integration in ChatGPT. When a user asks the Deep Research agent to analyze their inbox, the malicious email instructs the AI to collect sensitive information (such as personal data from other messages) and send it to an attacker-controlled server.
To make the theft stealthy, the instructions even tell the agent to encode the stolen data in Base64 format before attaching it to the malicious URL. The agent then uses the built-in browser.open() tool to send the information outside the victim’s account—all without the victim’s knowledge.
Unlike traditional phishing attacks, ShadowLeak requires no user action. The victim doesn’t have to click a link or download an attachment—the simple act of asking ChatGPT to review emails is enough to trigger the data theft.
Even more concerning, the exfiltration of data happens directly in OpenAI’s cloud environment. This makes the attack invisible to normal security defenses like antivirus software, firewalls, or enterprise email protection tools.
Researchers noted that ShadowLeak is different from earlier AI exploits such as AgentFlayer and EchoLeak, which operated on the client side. In this case, all the malicious activity occurs on OpenAI’s infrastructure, giving attackers a much higher chance of avoiding detection.
While the proof-of-concept focused on Gmail, Radware’s report warned that any connector supported by ChatGPT Deep Research could be abused. This includes popular platforms like:
-
Microsoft Outlook
-
Google Drive
-
Dropbox
-
GitHub
-
Box
-
HubSpot
-
Notion
-
SharePoint
This means attackers could potentially exfiltrate sensitive business data, source code, documents, or CRM records if users connect these platforms to ChatGPT.
ShadowLeak is not the only example of AI agents being tricked into dangerous behavior. Around the same time, security researchers from SPLX demonstrated how ChatGPT agents can be manipulated to solve CAPTCHAs, which are normally designed to block automated bots.
In this attack, the researchers tricked ChatGPT by framing CAPTCHAs as “fake” images. First, they had a normal ChatGPT-4o chat where the model was convinced to create a plan for solving fake CAPTCHAs. Then, they transferred this context into a new ChatGPT agent session. Since the agent believed it was continuing a past conversation, it ignored security guardrails and solved real CAPTCHAs—sometimes even moving its cursor to mimic human clicks.
This finding highlights how context poisoning and memory inheritance can allow attackers to bypass AI safeguards.
While OpenAI has patched the ShadowLeak flaw, the incident is an important reminder for both individual users and organizations:
Limit AI integrations – Only connect AI agents to platforms like Gmail, Drive, or Outlook if absolutely necessary.
Review email hygiene – Even invisible elements in emails can carry malicious instructions. Be cautious when analyzing emails with AI tools.
Enable security monitoring – Enterprises should add logging and anomaly detection around AI integrations.
Conduct red teaming – Regular AI-focused penetration testing can help uncover prompt injection vulnerabilities.
Educate users – Employees should be aware of indirect prompt injection attacks and the risks of blindly trusting AI output.
The ShadowLeak zero-click exploit shows just how far AI security challenges have evolved. Unlike normal phishing, attackers don’t need interaction. Unlike past prompt injection flaws, this attack abuses cloud-based processing, bypassing local defenses.
As AI agents like ChatGPT, Google Gemini, and Perplexity add more autonomous research and integration features, the attack surface will continue to grow. ShadowLeak proves that malicious actors can weaponize these capabilities in subtle but highly effective ways.
For now, the fix by OpenAI protects users from this specific vulnerability, but future indirect prompt injections are likely. Security researchers stress that the AI industry must prioritize context integrity, strict data handling, and continuous testing to prevent the next generation of AI-powered attacks.
ShadowLeak is more than just another vulnerability—it is a warning sign. As AI tools become deeply integrated into personal and business workflows, cybercriminals will look for invisible ways to manipulate them. Zero-click attacks like this one show that the line between safe automation and dangerous exploitation is thinner than ever.
Organizations must adopt AI security strategies today, because threats like ShadowLeak highlight a future where data leaks may no longer depend on human error, but on AI agents being silently manipulated in the background.
Interesting Article : Fortra Patches Critical CVSS 10.0 Flaw in GoAnywhere MFT (CVE-2025-10035)
Pingback: Microsoft Fixes Critical Entra ID Flaw CVE-2025-55241 Allowing Global Admin Impersonation