ShadowLeak in OpenAI’s ChatGPT Deep Research agent. The flaw exploited enterprise Gmail integrations with web browsing enabled. Attackers could send emails containing invisible HTML instructions, which the agent executed when asked to summarize or analyze inbox messages.
This triggered the agent, running on OpenAI’s servers, to exfiltrate sensitive data to attacker-controlled sites, without any clicks or user awareness.
Radware described this as the first service-side, zero-click indirect prompt injection. OpenAI confirmed the issue after responsible disclosure and has since patched the vulnerability.
