Sep 20, 2025Ravie LakshmananArtificial Intelligence / Cloud Safety
Cybersecurity researchers have disclosed a zero-click flaw in OpenAI ChatGPT’s Deep Analysis agent that would permit an attacker to leak delicate Gmail inbox knowledge with a single crafted e mail with none person motion.
The brand new class of assault has been codenamed ShadowLeak by Radware. Following accountable disclosure on June 18, 2025, the problem was addressed by OpenAI in early August.
“The assault makes use of an oblique immediate injection that may be hidden in e mail HTML (tiny fonts, white-on-white textual content, format tips) so the person by no means notices the instructions, however the agent nonetheless reads and obeys them,” safety researchers Zvika Babo, Gabi Nakibly, and Maor Uziel mentioned.
“In contrast to prior analysis that relied on client-side picture rendering to set off the leak, this assault leaks knowledge straight from OpenAI’s cloud infrastructure, making it invisible to native or enterprise defenses.”
Launched by OpenAI in February 2025, Deep Analysis is an agentic functionality constructed into ChatGPT that conducts multi-step analysis on the web to provide detailed reviews. Related evaluation options have been added to different well-liked synthetic intelligence (AI) chatbots like Google Gemini and Perplexity over the previous yr.
Within the assault detailed by Radware, the risk actor sends a seemingly harmless-looking e mail to the sufferer, which incorporates invisible directions utilizing white-on-white textual content or CSS trickery that inform the agent to assemble their private data from different messages current within the inbox and exfiltrate it to an exterior server.
Thus, when the sufferer prompts ChatGPT Deep Analysis to research their Gmail emails, the agent proceeds to parse the oblique immediate injection within the malicious e mail and transmit the main points in Base64-encoded format to the attacker utilizing the instrument browser.open().
“We crafted a brand new immediate that explicitly instructed the agent to make use of the browser.open() instrument with the malicious URL,” Radware mentioned. “Our last and profitable technique was to instruct the agent to encode the extracted PII into Base64 earlier than appending it to the URL. We framed this motion as a mandatory safety measure to guard the information throughout transmission.”
The proof-of-concept (PoC) hinges on customers enabling the Gmail integration, however the assault will be prolonged to any connector that ChatGPT helps, together with Field, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint, successfully broadening the assault floor.
In contrast to assaults like AgentFlayer and EchoLeak, which happen on the client-side, the exfiltration noticed within the case of ShadowLeak transpires straight inside OpenAI’s cloud atmosphere, whereas additionally bypassing conventional safety controls. This lack of visibility is the primary side that distinguishes it from different oblique immediate injection vulnerabilities just like it.
ChatGPT Coaxed Into Fixing CAPTCHAs
The disclosure comes as AI safety platform SPLX demonstrated that cleverly worded prompts, coupled with context poisoning, can be utilized to subvert ChatGPT agent’s built-in guardrails and clear up image-based CAPTCHAs designed to show a person is human.
The assault basically entails opening a daily ChatGPT-4o chat and convincing the big language mannequin (LLM) to provide you with a plan to unravel what’s described to it as an inventory of pretend CAPTCHAs. Within the subsequent step, a brand new ChatGPT agent chat is opened and the sooner dialog with the LLM is pasted, stating this was “our earlier dialogue” – successfully inflicting the mannequin to unravel the CAPTCHAs with none resistance.
“The trick was to reframe the CAPTCHA as “pretend” and to create a dialog the place the agent had already agreed to proceed. By inheriting that context, it did not see the standard crimson flags,” safety researcher Dorian Schultz mentioned.
“The agent solved not solely easy CAPTCHAs but additionally image-based ones — even adjusting its cursor to imitate human conduct. Attackers might reframe actual controls as ‘pretend’ to bypass them, underscoring the necessity for context integrity, reminiscence hygiene, and steady crimson teaming.”
