What is a zero-click vulnerability?

According to research published in the Journal of Financial Crime, zero-click attacks represent "one big leap that attackers are taking that removes the requirement of human involvement in initiating attacks and are moving toward an era of unassisted attacks." Unlike traditional phishing, which relies on victims clicking malicious links or opening infected attachments, zero-click vulnerabilities allow attackers to compromise devices without any user interaction whatsoever.

Read more: The rise of phishing and the vulnerabilities of traditional passwords

Understanding zero-click vulnerabilities

Zero-click vulnerabilities exploit hidden flaws in software, communication protocols, or device firmware to silently gain access, exfiltrate data, and enable long-term surveillance. As researchers note in Computers, Materials and Continua, "a single message or data packet can trigger the exploit; no clicks or downloads are necessary."

Attackers favor this method because it leaves no trace of user involvement, it bypasses conventional defenses, and evades user awareness mechanisms. Zero-click attacks have led to the theft of personal data, surveillance of journalists and activists, and disruption of critical infrastructure. The evolution toward zero-click attacks stems from improved security awareness among users. As the Journal of Financial Crime research explains, "thanks to rigorous phishing campaigns, now people are reluctant to click a link or open a website sent by unknowns. This made the attackers think about alternate methods of baiting the victims."

In October 2025, researchers disclosed ShadowLeak, a zero-click vulnerability in OpenAI's ChatGPT Deep Research agent that could leak Gmail inbox data through a single crafted email. The attack required no user interaction, just a malicious email disguised to look harmless. Attackers embedded hidden prompt injections using white-on-white text, CSS layout tricks, or tiny fonts into the email. This means that the malicious instructions were invisible to the human eye but still readable by the AI system. When users later asked ChatGPT's Deep Research agent to analyze their Gmail inbox, the hidden prompt was parsed and executed silently, exfiltrating personal data to attacker-controlled servers.

Because the attack occurred entirely within OpenAI's cloud infrastructure, traditional endpoint or network defenses couldn't detect or block it. Researchers noted, "The user never sees the prompt. The email looks normal. But the agent follows the hidden commands without question."

OpenAI patched the flaw following responsible disclosure, but the incident demonstrates how zero-click vulnerabilities are expanding beyond mobile devices into AI-powered tools and cloud services, systems used in healthcare for data analysis and communication.

Go deeper: Zero-click attack exposes Gmail data via ChatGPT deep research agent

How zero-click attacks work

Zero-click attacks exploit vulnerabilities within messaging protocols, application frameworks, and device firmware. Research in Computers, Materials and Continua identifies several high-profile examples:

• Pegasus: Developed by Israeli cyber-intelligence firm NSO Group, Pegasus is engineered for remote and covert installation on iOS and Android devices. It can infiltrate devices through vectors such as SMS, WhatsApp, or iMessage. Once deployed, it operates stealthily to exfiltrate sensitive data, including messages, emails, media files, and contacts. It can also activate the microphone, camera, and GPS, enabling continuous real-time surveillance.
• Simjacker: This attack exploits vulnerabilities in SIM cards to execute commands without user knowledge, enabling location tracking and message interception.
• Bluebugging and Bluesnarfing: These Bluetooth-based attacks exploit wireless protocol vulnerabilities to gain unauthorized access to devices, steal data, or establish persistent backdoors.

What makes these attacks dangerous is their stealth. As the Computers, Materials and Continua research notes, "conventional defense mechanisms — such as behavioral detection, intrusion prevention systems (IPS), and user-awareness training — offer limited protection against such attacks."

Learn more: Differences between an IDS and IPS

Why detection is difficult

Both research published in Computers, Materials and Continua and the Journal of Financial explain how traditional security tools struggle against zero-click attacks for the following reasons:

• No user action to flag: Security awareness training is ineffective when attacks don't require clicks, downloads, or any user engagement.
• Signature-based detection fails: As research notes, "signature-based IDS are effective for identifying known threats but struggle with zero-click attacks, which exploit previously unknown vulnerabilities."
• Cloud-based execution: Attacks like ShadowLeak occur inside cloud infrastructure, where external security tools have no visibility into prompt execution or data exfiltration.
• Zero-day exploitation: Many zero-click attacks rely on zero-day vulnerabilities — flaws unknown to software vendors — making even security-conscious users vulnerable until patches are released.

FAQs

What is the difference between zero-click and zero-day?

A zero-day vulnerability is a software flaw unknown to the vendor, meaning no patch exists. A zero-click vulnerability refers to how the attack is delivered without user interaction. Many zero-click attacks exploit zero-day vulnerabilities, but the terms describe different aspects of the threat.

What is prompt injection?

Prompt injection is an attack technique targeting AI systems. Attackers embed hidden instructions within seemingly normal content like an email or document that the AI reads and executes without the user's knowledge.

What is an intrusion detection system (IDS)?

An intrusion detection system is a security tool that monitors network traffic or system activity for signs of malicious behavior. Signature-based IDS identifies known threat patterns, while behavior-based IDS detects unusual activity that may indicate an attack. Zero-click attacks often evade signature-based detection because they exploit previously unknown vulnerabilities.