Pierluigi Paganini
September 18, 2025
Researchers at Radware uncovered a server-side data theft attack targeting ChatGPT, called ShadowLeak. The experts discovered a zero-click vulnerability in ChatGPT’s Deep Research agent when connected to Gmail and browsing. The researchers explained that using a crafted email could trigger the agent to leak sensitive inbox data to an attacker with no user action or visible UI.
“Service-Side Exfiltration: Unlike prior research that relied on client-side image rendering to trigger the leak, this attack leaks data directly from OpenAI’s cloud infrastructure, making it invisible to local or enterprise defenses.” reads the report published by Radware. “The attack utilizes an indirect prompt injection that can be hidden in email HTML (tiny fonts, white-on-white text, layout tricks) so the user never notices the commands, but the agent still reads and obeys them.”
Deep Research lets ChatGPT autonomously browse the web for 5–30 min to create detailed reports with sources. It integrates with apps like GitHub and Gmail for secure data analysis.
Below is the attack flow devised by the researchers:
“The leak is Service-side, occurring entirely from within OpenAI’s cloud environment. The agent’s built-in browsing tool performs the exfiltration autonomously, without any client involvement. Prior research—such as AgentFlayer by Zenity and EchoLeak by Aim Security—demonstrated client-side leaks, where exfiltration was triggered when the agent rendered attacker-controlled content (such as images) in the user’s interface.” continues Radware. “Our attack broadens the threat surface: instead of relying on what the client displays, it exploits what the backend agent is induced to execute.”
Service-side attacks pose greater risk than client-side leaks: enterprise defenses can’t detect exfiltration because it runs from the provider’s infrastructure, and users see no visible signs of data loss. The agent acts as a trusted proxy, sending sensitive data to attacker-controlled endpoints, and unlike client-side protections that limit exfil targets, these server-side requests face fewer URL restrictions, letting attackers export data to virtually any destination.
The PoC devised by the experts used Gmail, but the same attack works across any Deep Research connector. Files or messages in Google Drive, Dropbox, SharePoint, Outlook, Teams, GitHub, HubSpot, Notion and similar can hide prompt-injection payloads (in content or metadata) or malicious meeting invites, letting attackers trick the agent into exfiltrating contracts, meeting notes, customer records and other sensitive data. Any connector that feeds text into the agent becomes a potential vector.
“Enterprises can deploy a layer of defense by sanitizing email prior to agent ingestion: normalize and strip invisible CSS, obfuscated characters, and suspicious HTML elements. While this technique is valuable, it is far less effective against this new class of insider-like threats—cases where a trusted intelligent agent is manipulated into acting on the attacker’s behalf.” concludes the report. “A more robust mitigation is continuous agent behavior monitoring: tracking both the agent’s actions and its inferred intent and validating that they remain consistent with the user’s original goals. This alignment check ensures that even if an attacker steers the agent, deviations from legitimate intent are detected and blocked in real time.”
Below is the timeline for this flaw:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ChatGPT)
