Zero-click attack exposes Gmail data via ChatGPT deep research agent

A newly disclosed vulnerability in ChatGPT’s Deep Research tool allowed attackers to exfiltrate Gmail data with a single hidden prompt.

What happened

According to The Hacker News, researchers have uncovered a zero-click vulnerability, dubbed ShadowLeak, in OpenAI’s ChatGPT Deep Research agent that could leak Gmail inbox data through a single crafted email. The attacker doesn't require any interaction from the user, just a malicious email disguised to look harmless. OpenAI patched the flaw in early August following responsible disclosure in June 2025.

Unlike previous attacks that relied on client-side rendering, ShadowLeak operates entirely within OpenAI’s cloud infrastructure. The threat actor embeds hidden prompt injections, using white-on-white text, CSS layout tricks, or tiny fonts, into a malicious email. When the user later asks ChatGPT’s Deep Research agent to analyze their Gmail inbox, the prompt is parsed and executed silently.

Going deeper

The Deep Research agent, launched in February 2025, is designed to conduct step-by-step internet research and generate detailed reports. It also supports integrations with apps like Gmail, Google Drive, Dropbox, GitHub, SharePoint, and others.

In the ShadowLeak proof-of-concept, attackers instructed the agent to use the browser.open() tool to exfiltrate data. They Base64-encoded the extracted personal data before appending it to a malicious URL, disguising the action as a “security step.”

Radware confirmed the attack only works if Gmail integration is active, but warned it can be extended to any other supported connector. Because the attack occurs inside the cloud environment, traditional endpoint or network defenses cannot detect or block it, making ShadowLeak especially difficult to trace.

This type of cloud-based prompt injection differs from earlier attacks, such as AgentFlayer and EchoLeak, which occurred on the client side. ShadowLeak avoids detection by using the trust users place in agents and the lack of visibility into agent-side operations.

What was said

Researchers stated that ShadowLeak demonstrates a progression in how prompt injections are deployed and how AI agents can be manipulated remotely. “The user never sees the prompt. The email looks normal. But the agent follows the hidden commands without question,” said researchers.

Separately, security platform SPLX disclosed another type of context-based attack, showing how a ChatGPT agent could be tricked into solving CAPTCHAs by inheriting manipulated conversation history. Researcher Dorian Schultz noted that the agent’s behavior mimicked that of humans, even moving cursors to bypass visual security checks, which raised concerns about guardrail bypasses through indirect context poisoning.

FAQs

What is indirect prompt injection, and why is it dangerous?

Indirect prompt injection embeds hidden instructions inside benign-looking content (like emails or web pages). AI agents may follow these prompts without user awareness, leading to unauthorized actions such as data leaks.

Can this type of attack affect tools other than Gmail?

Yes. Any ChatGPT connector, like Dropbox, SharePoint, Google Drive, or Outlook, could be targeted if the attacker crafts the prompt to interact with those platforms.

How can users protect themselves from zero-click prompt injections?

Users should disable unnecessary integrations, avoid analyzing untrusted content with AI agents, and monitor announcements from platform vendors for newly patched vulnerabilities.

Why can’t traditional antivirus or firewalls stop this?

Because the entire attack happens inside the AI’s cloud infrastructure, external security tools have no visibility into the prompt execution or data exfiltration.

How is ShadowLeak different from previous prompt injection attacks?

Unlike client-side attacks that rely on the user’s browser, ShadowLeak exploits the agent’s behavior inside the cloud. It requires no user clicks, works silently, and bypasses most enterprise-level security tools.