ChatGPT Zero Click Flaw Exposed Sensitive Data
In a landmark discovery for AI security, cybersecurity firm Radware has detailed a previously unknown zero-click vulnerability in OpenAI's ChatGPT. Named "ShadowLeak," this exploit marked the first server-side attack of its kind, capable of silently extracting sensitive user data directly from OpenAI's infrastructure without any user interaction.
A New Class of AI Threat Emerges
The vulnerability specifically targeted ChatGPT’s Deep Research agent. Radware's research revealed that an attacker could autonomously exfiltrate confidential information, posing a significant threat to the growing number of enterprises that have integrated ChatGPT into their workflows. The exploit operated entirely behind the scenes, leaving no trace on networks or devices, making it nearly impossible for victims to detect.
ChatGPT (Photo: rafapress / Shutterstock.com)
How the ShadowLeak Exploit Worked
The attack scenario demonstrated by Radware’s Security Research Center (RSRC) was alarmingly simple. A malicious email sent to a target's inbox was enough to trigger ChatGPT's Deep Research agent, which runs on OpenAI's cloud. Without the user ever needing to open or interact with the email, the AI agent could be manipulated to access and leak sensitive data. Gabi Nakibly, one of the lead researchers, confirmed, “This is the first purely server-side zero-click attack we’ve seen, where the AI agent autonomously performs the exfiltration.”
The Dangers of a Server-Side Attack
Unlike traditional zero-click attacks that compromise endpoints like phones or computers, ShadowLeak operated exclusively within the AI's cloud environment. This unique characteristic allowed it to bypass all user-facing and network-level security measures. David Aviv, Chief Technology Officer at Radware, called it "the quintessential zero-click attack," highlighting its invisibility. "There is no user action required, no visible cue, and no way for victims to know their data has been compromised," he stated. This represents a new challenge for enterprise security teams who rely on conventional monitoring tools.
Responsible Disclosure and Resolution
Radware responsibly disclosed the vulnerability to OpenAI in June, adhering to standard industry protocols. OpenAI acknowledged the severity of the issue and successfully resolved it on September 3. Radware praised OpenAI for its prompt cooperation in patching the vulnerability, emphasizing the critical need for proactive security research as AI technology evolves.
Broader Implications for AI Security
The discovery of ShadowLeak arrives as enterprise adoption of ChatGPT is soaring. Nick Turley, ChatGPT's Vice President of Product, revealed in August that the platform serves 5 million paying business users, illustrating the massive potential attack surface. Pascal Geenens, Director of Cyber Threat Intelligence at Radware, warned, “This technology introduces new risks that aren’t addressed by legacy security tools.” To help organizations navigate these new threats, Radware will host a live webinar on October 16 to provide a deep dive into the vulnerability and offer guidance for protecting AI agents.
