Crucial vulnerabilities in ChatGPT permit attackers to exfiltrate delicate information from linked companies like Gmail, Outlook, and GitHub with out person interplay.
Dubbed ShadowLeak and ZombieAgent, these flaws exploit the AI’s Connectors and Reminiscence options for zero-click assaults, persistence, and even propagation.
OpenAI’s Connectors allow ChatGPT to combine with exterior techniques comparable to Gmail, Jira, GitHub, Groups, and Google Drive in just a few clicks.
The Reminiscence characteristic, enabled by default, shops person conversations and information for personalised responses, permitting the AI to learn, edit, or delete entries.
Whereas enhancing utility, these capabilities grant broad entry to non-public and company information, amplifying dangers from insufficient safeguards.
ChatGPT Zero-Click on and One-Click on Assaults
Attackers ship malicious emails or share recordsdata embedding hidden directions, invisible to customers, by way of white textual content, tiny fonts, or footers.
Assault Chain (Supply: Radware)
Within the zero-click server-side variant, ChatGPT scans the inbox throughout routine duties like summarizing emails, executes the payload, and leaks information by way of OpenAI’s servers earlier than customers discover.
A one-click model triggers when victims add tainted recordsdata, enabling chained assaults on linked repositories or drives.
Assault TypeTriggerExfiltration MethodScopeZero-Click on Server-SideShared a malicious fileVia browser.open() software on OpenAI serversGmail inboxes, PIIOne-Click on Server-SideMemory modification by way of a fileHidden prompts in docsGoogle Drive, GitHubPersistence (ZombieAgent)Reminiscence modification by way of fileOngoing leaks per question All chats, medical informationPropagationEmail deal with harvestingAuto-forward to contacts [query context]Organizational unfold
OpenAI blocked dynamic URL modifications, however researchers bypassed this with pre-built URLs for every character (a-z, 0-9, $ for areas).
ChatGPT normalizes delicate strings like “Zvika Doe” to “zvikadoe”, then sequentially opens static hyperlinks like compliance.hr-service.web/get-public-joke/z, exfiltrating information with out development. This service-side technique evades client-side defenses, browsers, and UI visibility.
For persistence, attackers inject memory-altering guidelines by way of recordsdata: on each message, learn a particular attacker e mail and leak information first.
Regardless of OpenAI’s restrictions on mixing Connectors and Reminiscence, reverse entry works, enabling countless exfiltration even in new chats. Propagation scans inboxes for addresses, exfiltrates them, and attacker servers auto-send payloads, focusing on organizations.
Radware reported the problems on September 26, 2025, by way of BugCrowd, offering particulars and upgrades. OpenAI mounted ShadowLeak on September 3 and the total set on December 16, 2025, after copy.
Consultants urge monitoring agent behaviors and sanitizing inputs, as agentic AI blind spots persist.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
