OpenAI Fixes ShadowLeak Vulnerability in ChatGPT

September 22, 2025
OpenAI has addressed a zero-click vulnerability in its ChatGPT Deep Research agent, which allowed attackers to exfiltrate sensitive Gmail data using a single crafted email.

OpenAI has resolved a critical zero-click vulnerability in its ChatGPT Deep Research agent, known as ShadowLeak. Discovered by cybersecurity firm Radware, the flaw allowed attackers to exfiltrate sensitive Gmail inbox data through a single crafted email without any user interaction.

The ShadowLeak attack utilized indirect prompt injection techniques, embedding hidden commands within email HTML using methods like white-on-white text. When the Deep Research agent processed such an email, it would unknowingly execute the attacker's instructions, sending sensitive data to an external server.

OpenAI was informed of the vulnerability on June 18, 2025, and implemented a fix by early August. The issue was marked as resolved by September 3, 2025. Radware noted that the attack could potentially extend to other connectors supported by ChatGPT, such as Google Drive and Dropbox, broadening the attack surface.

This vulnerability highlights the need for robust security measures in AI systems, particularly those with autonomous capabilities like ChatGPT's Deep Research agent. OpenAI continues to improve its safeguards to prevent similar exploits in the future.

We hope you enjoyed this article.

Consider subscribing to one of our newsletters like Cybersecurity AI Weekly or Daily AI Brief.

Also, consider following us on social media:

Cybersecurity AI AI Brief AI Brief (X)

More from: Cybersecurity

09/21
Fescaro and TUV Nord Collaborate on Automotive Cybersecurity Compliance
09/19
Netskope Sets IPO Price at $19 Per Share
09/18
MIND Appoints Jimmy Tsang as Chief Marketing Officer
09/17
North Korean Hackers Use ChatGPT for Deepfake ID in Cyberattack
09/16
Stamus and SentinelOne Enhance AI Security with Expanded Partnership

Subscribe to Cybersecurity AI Weekly

Weekly newsletter about AI in Cybersecurity.

AI Token Webinar

Market report

2025 Generative AI in Professional Services Report

Thomson Reuters

This report by Thomson Reuters explores the integration and impact of generative AI technologies, such as ChatGPT and Microsoft Copilot, within the professional services sector. It highlights the growing adoption of GenAI tools across industries like legal, tax, accounting, and government, and discusses the challenges and opportunities these technologies present. The report also examines professionals' perceptions of GenAI and the need for strategic integration to maximize its value.

Read more

You May Also Like