ShadowLeak Exploit Exposed Gmail Data Through ChatGPT Agent

A team of security researchers from Cloud Security Solutions provider, Radware, found a way to trick a popular AI tool into giving up a user’s private information. The team, including lead researchers Zvika Babo and Gabi Nakibly, discovered a flaw in OpenAI’s ChatGPT Deep Research agent, a tool that autonomously browses the internet and user documents to create reports. They demonstrated how the agent could be tricked into leaking private data from a user’s Gmail account without their knowledge.

The researchers named the flaw ShadowLeak, describing it as a “zero-click” attack (an attack triggered without the user needing to click on anything), hidden inside a normal-looking email with invisible commands. When a user tells the Deep Research agent to scan their emails, it reads the hidden instructions and, “without user confirmation and without rendering anything in the UI,” sends the user’s private data to a location controlled by the attacker.

****An Invisible Threat****

Unlike past 0-click vulnerabilities like AgentFlayer and EchoLeak, which relied on a user’s web browser, this new method works directly from inside OpenAI’s cloud servers. The researchers called this service-side exfiltration, which makes it much harder to detect with normal security software because it operates entirely behind the scenes. According to the report, it is also “invisible to the user,” as nothing is displayed or rendered.

Image Credit: Radware

The attack uses a method called indirect prompt injection, where malicious commands are hidden inside the data an AI model is designed to process, like an email, and are executed without the user’s knowledge. The malicious email, which could be titled “Restructuring Package – Action Items,” pretends to be a normal message.

Inside, invisible code instructs the agent to find sensitive information and send it to a fake “public employee lookup URL.” The email uses social engineering tricks like asserting “full authorisation” and creating a false sense of urgency to bypass the agent’s safety checks.

The team spent a long trial-and-error phase refining the attack, eventually figuring out how to force the agent to use its own browser.open() tool to execute the malicious command. By telling the agent to encode the stolen information in Base64 as a “security measure,” they were able to make it look harmless and achieve a “100% success rate.”

****The Problem Has Been Fixed****

According to Radware’s blog post, it responsibly reported the issue to OpenAI in June 2025. The vulnerability was fixed by early August and officially acknowledged as resolved by OpenAI on September 3.

Although their proof-of-concept used Gmail, the researchers pointed out that the same technique could also work on other services that connect with the Deep Research tool, such as Google Drive, Microsoft Teams, and GitHub, to steal sensitive business data.

To prevent similar issues, they advise companies to clean up emails before AI tools read them and to constantly monitor what the AI agent is doing to ensure its actions align with the user’s original request.