Overview

• Radware detailed a zero‑click method that used hidden instructions in emails to make the Deep Research agent extract inbox data and send it to attacker URLs without any visible UI.
• The leak originated from OpenAI’s servers via agent web requests that embedded sensitive information in URL parameters, leaving minimal client‑side evidence.
• Radware reported the issue on June 18, OpenAI implemented a fix in early August, and the company acknowledged the resolution on September 3, with Radware confirming the exploit no longer works.
• Although the proof of concept used Gmail, Radware said the same technique could affect other Deep Research connectors, including Google Drive, Dropbox, Outlook, Microsoft Teams, GitHub, HubSpot, and Notion.
• Radware contrasted the server‑side nature of ShadowLeak with prior client‑side demonstrations and urged enterprises to monitor agent actions and intent to detect and block exfiltration attempts in real time.