A zero-click vulnerability found in ChatGPT’s Deep Analysis agent allowed attackers to exfiltrate delicate knowledge from a person’s Gmail account with none person interplay.
The flaw, which OpenAI has since patched, leveraged a complicated type of oblique immediate injection hidden inside an e mail, tricking the agent into leaking private info straight from OpenAI’s cloud infrastructure.
Based on Radware, the assault started with an attacker sending a specifically crafted e mail to a sufferer. This e mail contained hidden directions, invisible to the human eye, embedded inside its HTML code utilizing methods like tiny fonts or white-on-white textual content.
When the person prompted the Deep Analysis agent to investigate their Gmail inbox, the agent would learn this malicious e mail alongside respectable ones.
The hidden prompts used social engineering ways to bypass the agent’s security protocols. These ways included:
Asserting Authority: The immediate falsely claimed the agent had “full authorization” to entry exterior URLs.
Disguising Malicious URLs: The attacker’s server was introduced as a respectable “compliance validation system.”
Mandating Persistence: The agent was instructed to retry the connection a number of instances if it failed, overcoming non-deterministic safety blocks.
Creating Urgency: The immediate warned that failure to conform would end in an incomplete report.
Falsely Claiming Safety: The directions deceptively directed the agent to encode the stolen knowledge in Base64, framing it as a safety measure whereas really obfuscating the info exfiltration.
As soon as the agent processed the malicious e mail, it might search the person’s inbox for the required Personally Identifiable Info (PII), comparable to a reputation and deal with from an HR e mail.
It might then encode this knowledge and ship it to the attacker-controlled server, all with none visible indicator or affirmation from the person.
Service-Aspect vs. Consumer-Aspect Exfiltration
What made this vulnerability significantly harmful was its service-side nature. The info exfiltration occurred solely inside OpenAI’s cloud setting, executed by the agent’s personal shopping device.
This can be a important escalation from earlier client-side assaults that relied on rendering malicious content material (like photographs) within the person’s browser.
As a result of the assault originated from OpenAI’s infrastructure, it was invisible to traditional enterprise safety measures like safe net gateways, endpoint monitoring, and browser safety insurance policies. The person would haven’t any information of the info leak, as nothing can be displayed on their display screen, Radware mentioned.
Zero-click Exfiltration
Whereas the proof of idea centered on Gmail, the vulnerability’s ideas might be utilized to any knowledge connector built-in with the Deep Analysis agent.
Connector apps
Malicious prompts might be hidden in:
PDFs or Phrase paperwork in Google Drive or Dropbox.
Assembly invitations in Outlook or Google Calendar.
Data in HubSpot or Notion.
Messages or information in Microsoft Groups.
README information in GitHub.
Any service that permits text-based content material to be ingested by the agent may have served as a possible vector for any such assault.
Researchers who found the flaw recommend {that a} strong mitigation technique includes steady monitoring of the agent’s habits to make sure its actions align with the person’s unique intent. This may help detect and block deviations attributable to malicious prompts.
The vulnerability was reported to OpenAI on June 18, 2025. The problem was acknowledged, and a repair was deployed in early August. OpenAI marked the vulnerability as resolved on September 3, 2025.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates.
