Cybersecurity researchers have disclosed a zero-click flaw in OpenAI ChatGPT’s Deep Research agent that could allow an attacker to leak sensitive Gmail inbox data with a single crafted email without any user action.
The new class of attack has been codenamed ShadowLeak by Radware. Following responsible disclosure on June 18, 2025, the issue was addressed by OpenAI in early August.
“The attack utilizes an indirect prompt injection that can be hidden in email HTML (tiny fonts, white-on-white text, layout tricks) so the user never notices the commands, but the agent still reads and obeys them,” security researchers Zvika Babo, Gabi Nakibly, and Maor Uziel said.
“Unlike prior research that relied on client-side image rendering to trigger the leak, this attack leaks data directly from OpenAI’s cloud infrastructure, making it invisible to local or enterprise defenses.”
Launched by OpenAI in February 2025, Deep Research is an agentic capability built into ChatGPT that conducts multi-step research on the internet to produce detailed reports. Similar analysis features have been added to other popular artificial intelligence (AI) chatbots like Google Gemini and Perplexity over the past year.
In the attack detailed by Radware, the threat actor sends a seemingly harmless-looking email to the victim, which contains invisible instructions using white-on-white text or CSS trickery that tell the agent to gather their personal information from other messages present in the inbox and exfiltrate it to an external server.
Thus, when the victim prompts ChatGPT Deep Research to analyze their Gmail emails, the agent proceeds to parse the indirect prompt injection in the malicious email and transmit the details in Base64-encoded format to the attacker using the tool browser.open().
“We crafted a new prompt that explicitly instructed the agent to use the browser.open() tool with the malicious URL,” Radware said. “Our final and successful strategy was to instruct the agent to encode the extracted PII into Base64 before appending it to the URL. We framed this action as a necessary security measure to protect the data during transmission.”
The proof-of-concept (PoC) hinges on users enabling the Gmail integration, but the attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint, effectively broadening the attack surface.
Unlike attacks like AgentFlayer and EchoLeak, which occur on the client-side, the exfiltration observed in the case of ShadowLeak transpires directly within OpenAI’s cloud environment, while also bypassing traditional security controls. This lack of visibility is the main aspect that distinguishes it from other indirect prompt injection vulnerabilities similar to it.
ChatGPT Coaxed Into Solving CAPTCHAs
The disclosure comes as AI security platform SPLX demonstrated that cleverly worded prompts, coupled with context poisoning, can be used to subvert ChatGPT agent’s built-in guardrails and solve image-based CAPTCHAs designed to prove a user is human.
The attack essentially involves opening a regular ChatGPT-4o chat and convincing the large language model (LLM) to come up with a plan to solve what’s described to it as a list of fake CAPTCHAs. In the next step, a new ChatGPT agent chat is opened and the earlier conversation with the LLM is pasted, stating this was “our previous discussion” – effectively causing the model to solve the CAPTCHAs without any resistance.
“The trick was to reframe the CAPTCHA as “fake” and to create a conversation where the agent had already agreed to proceed. By inheriting that context, it didn’t see the usual red flags,” security researcher Dorian Schultz said.
“The agent solved not only simple CAPTCHAs but also image-based ones — even adjusting its cursor to mimic human behavior. Attackers could reframe real controls as ‘fake’ to bypass them, underscoring the need for context integrity, memory hygiene, and continuous red teaming.”