A zero-click vulnerability has been identified in OpenAI’s ChatGPT Deep Research agent, enabling attackers to potentially access sensitive Gmail inbox data through a single malicious email, without requiring any interaction from the user. This novel exploitation method, termed ShadowLeak by cybersecurity firm Radware, was responsibly disclosed on June 18, 2025, and promptly addressed by OpenAI in August.
This zero-click attack employs indirect prompt injection that can be concealed within the HTML of an email, utilizing techniques like tiny fonts and white-on-white text to evade detection. According to cybersecurity experts Zvika Babo, Gabi Nakibly, and Maor Uziel, these so-called “invisible commands” are processed by the agent, effectively circumventing any user awareness.
Unlike previous vulnerabilities that relied on client-side image rendering for data leaks, ShadowLeak extracts information directly from OpenAI’s cloud infrastructure, rendering it invisible to local or enterprise security measures. This evolution in attack technique is a significant departure from prior such exploits, raising alarms regarding the efficacy of existing security controls against cloud-based threats.
OpenAI’s Deep Research, which was launched in February 2025, serves as an innovative tool designed to facilitate multi-step internet research for comprehensive reporting. Other AI chatbots, such as Google Gemini and Perplexity, have introduced similar functionalities over the past year, increasing the focus on protecting such capabilities from emerging cyber threats.
The ShadowLeak attack mechanism involves the target receiving an innocuous-looking email that incorporates invisible instructions embedded in CSS or white-on-white text. These instructions command the ChatGPT agent to retrieve and exfiltrate personal information from the victim’s Gmail inbox to an external server.
When a victim subsequently prompts the Deep Research agent to analyze their inbox, the embedded indirect prompt injection activates the data extraction process. The sensitive personal information is then encoded in Base64 and sent to the attacker using the browser.open() tool, a maneuver that diverts attention from standard security protocols.
Radware’s proof-of-concept relies on users having enabled Gmail integration, though the attack can extend to any supported connector within the ChatGPT environment, such as Box, Dropbox, Google Drive, and others, thus broadening the vulnerability landscape significantly. This cloud-centric approach distinguishes ShadowLeak from attacks like AgentFlayer, which primarily exploit client-side vulnerabilities.
As AI capabilities evolve, the need for enhanced security measures is paramount. The attack underscores significant concerns regarding the integrity and security of cloud-based applications, highlighting vulnerabilities that can be exploited on a large scale. Organizations must prioritize the implementation of robust security practices to mitigate such risks, reinforcing their defenses against sophisticated cyber threats.
Capturing CAPTCHAs through AI Manipulation
In a related demonstration, AI security platform SPLX has revealed that well-crafted prompts and context manipulation can successfully bypass safeguards designed to prevent ChatGPT from solving image-based CAPTCHAs. By initially framing CAPTCHAs as “fake,” an attacker can manipulate the ChatGPT agent into resolving them seamlessly, showcasing the vulnerabilities inherent in current AI models.
This example serves as a stark reminder of the need for continuous vigilance and adaptive security frameworks in the evolving landscape of cybersecurity threats.
