ChatGPT Flaw Exposed Gmail Data With Zero Clicks

Cybersecurity researchers have uncovered a significant zero-click vulnerability in the OpenAI ChatGPT Deep Research agent. Dubbed ShadowLeak, this flaw could have allowed an attacker to steal sensitive data directly from a user's Gmail inbox using just a single, specially crafted email, requiring no interaction from the victim.

The research team at Radware, who discovered the new attack class, reported the issue to OpenAI on June 18, 2025. The vulnerability was subsequently addressed and patched by early August.

How the ShadowLeak Attack Works

The attack leverages a technique known as indirect prompt injection. According to security researchers Zvika Babo, Gabi Nakibly, and Maor Uziel, the malicious instructions are hidden within the email's HTML code. They explained in a report, "The attack utilizes an indirect prompt injection that can be hidden in email HTML (tiny fonts, white-on-white text, layout tricks) so the user never notices the commands, but the agent still reads and obeys them."

Here's the attack sequence:

1. An attacker sends a seemingly harmless email to the target's Gmail account.
2. This email contains a hidden prompt with malicious instructions.
3. When the victim later uses the Deep Research agent to analyze their emails, the agent processes the malicious email along with legitimate ones.
4. The agent follows the hidden instructions to scan the user's inbox for personal information, which it then encodes into Base64 format.
5. Finally, the agent exfiltrates this encoded data to an attacker-controlled server using the browser.open() function.

The researchers noted a clever trick used to ensure the data was sent. "Our final and successful strategy was to instruct the agent to encode the extracted PII into Base64 before appending it to the URL," Radware stated. "We framed this action as a necessary security measure to protect the data during transmission."

A Cloud-Based Threat Bypassing Local Defenses

What makes ShadowLeak particularly dangerous is where the attack occurs. Unlike previous vulnerabilities like AgentFlayer and EchoLeak that rely on client-side actions, the data exfiltration in ShadowLeak happens entirely within OpenAI's cloud infrastructure.

This makes the attack invisible to traditional local or enterprise security defenses, as the malicious activity never happens on the user's device. The lack of visibility is a key differentiator from other indirect prompt injection attacks.

Beyond Gmail: The Broader Impact

While the proof-of-concept focused on the Gmail integration, the vulnerability's scope was much wider. The attack could potentially be extended to any third-party service connected to ChatGPT. This includes popular platforms like Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, and SharePoint, dramatically expanding the potential attack surface.

Related Research: AI Agents Tricked Into Solving CAPTCHAs

In a separate but related development, AI security platform SPLX demonstrated how a ChatGPT agent could be manipulated into solving image-based CAPTCHAs, which are designed to distinguish humans from bots.

The technique involves a multi-step process of context poisoning. First, an attacker engages a standard ChatGPT-4o model in a conversation, convincing it that they will be working on a set of "fake" CAPTCHAs for a harmless exercise. Next, the attacker opens a new chat with a ChatGPT agent and pastes the previous conversation history, framing it as a continuation of their discussion. By inheriting this pre-approved context, the agent bypasses its built-in safety protocols and proceeds to solve the CAPTCHAs.

Watch the demonstration of the CAPTCHA bypass

"The trick was to reframe the CAPTCHA as 'fake' and to create a conversation where the agent had already agreed to proceed," security researcher Dorian Schultz explained. "The agent solved not only simple CAPTCHAs but also image-based ones -- even adjusting its cursor to mimic human behavior." This research underscores the critical need for improved context integrity and continuous security testing for advanced AI systems.