ChatGPT Agent Flaw Allowed Silent Gmail Data Theft

OpenAI recently patched a significant vulnerability in its ChatGPT Deep Research agent, a flaw that could have allowed attackers to silently extract data from a user's connected Gmail account. The security issue, discovered by researchers at Radware, affected subscribers who had authorized the advanced AI tool to access their email services.

OpenAI patched a flaw in ChatGPT's Deep Research agent that could have enabled hackers to extract Gmail data without the user's knowledge. (Image: Shutterstock)

How the ShadowLeak Vulnerability Worked

The Deep Research agent is designed by OpenAI to perform complex online research and integrate with various user accounts to act as a personal assistant. However, Radware researchers uncovered a critical weakness they dubbed "ShadowLeak."

The attack method was a sophisticated form of prompt injection. The researchers sent an email to themselves containing hidden instructions. When the Deep Research agent accessed this email to process its contents, it unknowingly executed the malicious directives embedded within. These commands instructed the agent to search for personal information, such as full names and addresses, and then send that data to a web address controlled by the researchers. Crucially, this entire process required no clicks or interaction from the user, allowing sensitive data to be siphoned off completely unnoticed.

The Unseen Threat of Service-Side Attacks

What made ShadowLeak particularly dangerous was its nature as the first-known service-side, zero-click indirect prompt injection. This means the data was exfiltrated directly from OpenAI's own infrastructure, not from the user's computer or browser. Previous vulnerabilities often relied on manipulating how content, like images, was rendered on the user's screen.

As Pascal Geenens, Radware's director of threat research, reportedly explained, this method leaves organizations blind. "There is no trace of a web call or data leaking through the affected organization's boundary. There is no visibility or traceability," he told Information Security Media Group. In the event of a breach, companies would have no logs to determine the scope of the compromised data.

This exploit cleverly turned the autonomy of AI agents against the user. The very features designed to make these tools powerful and time-saving—accessing emails, calendars, and cloud services with minimal oversight—became the attack vector.

Broader Implications for Connected Services

The threat was not limited to Gmail. Radware noted that the Deep Research agent can also integrate with other popular services like Microsoft Outlook, GitHub, Google Drive, and Dropbox. The researchers warned that these connections could be susceptible to similar exploits. "The same technique can be applied to these additional connectors to exfiltrate highly sensitive business data such as contracts, meeting notes or customer records," they stated.

This highlights a growing risk for businesses where employees might use personal or corporate AI subscriptions to access sensitive company data, potentially creating unmonitored pathways for data exfiltration.

OpenAI's Response and Enterprise Takeaways

OpenAI acted to address the vulnerability earlier this month after being notified by Radware. A spokesperson for OpenAI acknowledged the value of such research, telling Bloomberg, "researchers often test these systems in adversarial ways, and we welcome their research as it helps us improve." Fortunately, Radware found no evidence that the ShadowLeak flaw was exploited in the wild outside of their controlled tests.

For businesses, this incident serves as a critical reminder of the importance of AI governance. Geenens emphasized that companies must have clear visibility into what data AI assistants can access and what external sources they connect to. He recommended that every AI interaction, both prompts and responses, should be logged and available for inspection. "Only through these records can potential leaks be identified and the scope of compromised data assessed," he concluded.