Radware Uncovers Server Side Attack Targeting ChatGPT Known as Shadowleak
Researchers at Radware uncovered a server-side data theft attack targeting ChatGPT, termed as ShadowLeak. The experts discovered the zero-click vulnerability in ChatGPT’s Deep Research agent when connected to Gmail and browsing.
In this attack type ‘Service-side’ pose greater risk as enterprise defenses cannot detect exfiltration because it runs from the provider’s infrastructure.
ShadowLeak a Server side attack
For any normal user there would be no visible signs of data loss as the AI agent acts as a trusted proxy, sending sensitive data to attacker-controlled endpoints. These server-side requests face fewer URL restrictions, letting attackers export data to virtually any destination.
Shadowleak is an uncovered security flaw affecting ChatGPT’s Deep Research Agent. Which can connect to services like Gmail to help users analyze their emails.
Attackers could hide invisible instructions in a regular looking email. When the user asked ChatGPT to review their mailbox contents selecting deep research.
Vulnerability Details
ChatGPT’s Deep Research Agent was vulnerable because it could be tricked into following hidden instructions that were inside a seemingly ordinary email. When users ask the agent to analyze their inbox, any attacker can craft the message with invisible commands and cause AI to leak private data without warning.
These hidden instructions used tricks to fool the AI and get around its built-in safety checks. Some of those tricks included:
- Pretending to Have Permission: The prompt told the agent that it had “full authorization” to access outside websites, even though it didn’t.
- Hiding the Real Purpose: It disguised the hacker’s website as something safe sounding, like a “compliance validation system.”
- Telling the Agent to Keep Trying: If the AI couldn’t reach the attacker’s website the first time, the prompt told it to try again helping it sneak past any temporary protections.
- Creating Urgency: The prompt warned the agent that if it didn’t follow the instructions, it might not complete the report properly pushing it to obey.
- Hiding the Stolen Info: The agent was told to encode the personal data using Base64, which made the data harder to spot and helped hide the theft.
After reading the fake email, the agent would go look through the user’s real emails (like HR messages) and find personal info such as full names and addresses.
Without alerting the user, the AI would send that information to the attacker’s server, happening silently in the background, with no warning or visible signs.
This attack is not limited only to Gmail, also applies to any data sources Deep Research accesses, including Google Drive, Dropbox, Outlook, Teams and more. Any connected service that feeds text into the agent can pose a risk to hidden prompts, making sensitive business data vulnerable to exfiltration.
Source: radware.com
Attack Flow
| Step | Description |
| Malicious Email Crafting | Attackers create a legitimate email embedded with hidden, invisible prompt instructions to extract sensitive data. Use social engineering and obfuscation. |
| Email Delivery and Receipt | The victim receives the email in Gmail without needing to open it; hidden commands are present in the email’s HTML body. |
| User Invokes Deep Research | The victim asks ChatGPT’s Deep Research Agent to analyze their inbox or specific emails, triggering the agent’s activity. |
| Parsing Hidden Instructions | The agent reads and interprets the hidden malicious prompt embedded within the attacker’s email. |
| Extraction of Sensitive Data | Following the instructions, the agent locates and extracts personal information like names and addresses from real emails. |
| Data Exfiltration to Attacker | The agent uses internal tools to send the extracted, often Base64-encoded data to an attacker-controlled external server. |
| Victim Remains Unaware | The entire process happens silently on OpenAI’s servers with no visible alerts or client-side traces for the user or admins. |
Why It’s Effective
This “zero-click” attack happened entirely on OpenAI’s servers, where traditional security tools couldn’t detect or stop it, and victims never saw any warning. OpenAI was informed by radware security team in June 2025 and OpenAI fully patched the issue by September.
The attack runs silently in a trusted cloud environment, invisible to users and traditional security tools.
It tricks the AI into repeatedly sending encoded sensitive data, bypassing safety checks and ensuring successful data theft. This stealthy, zero-click nature means no user interaction is required, making detection extremely difficult and allowing the attacker to exfiltrate data unnoticed over extended periods.
Recommendations:
Here are some recommendations below
- Email Sanitization: Normalize and strip hidden or suspicious HTML/CSS elements from emails before they are processed by AI agents. This reduces the risk of hidden prompt injections.
- Strict Agent Permissions: Limit AI agent access only to the data and tools necessary for its tasks, minimizing exposure to sensitive information.
- Behavior Monitoring: Continuously monitor AI agent actions and behavior in real time to detect anomalies or actions deviating from user intent.
- Regular Patch Management: Keep AI tools, connectors and integrated systems up to date with the latest security fixes and improvements.
- Awareness and Training: Educate users and administrators about the types of attacks AI agents are vulnerable to, fostering vigilance and quick incident response.
Conclusion
The ShadowLeak vulnerability underscores the critical risks posed when powerful AI tools operate without sufficient safeguards. By hiding secret commands inside emails, attackers were able to steal personal information without the user knowing.
This case highlights the need for strong safety measures, including limiting AI access to sensitive information, sanitizing inputs to prevent hidden commands, and continuously monitoring agent behavior to detect anomalies.
As more AI tools are used, it’s important to keep strong security controls and oversight to use these technologies safely and protect sensitive data from new threats.
References:
Recent Comments