Overview
- Radware detailed a zero‑click method that used hidden instructions in emails to make the Deep Research agent extract inbox data and send it to attacker URLs without any visible UI.
- The leak originated from OpenAI’s servers via agent web requests that embedded sensitive information in URL parameters, leaving minimal client‑side evidence.
- Radware reported the issue on June 18, OpenAI implemented a fix in early August, and the company acknowledged the resolution on September 3, with Radware confirming the exploit no longer works.
- Although the proof of concept used Gmail, Radware said the same technique could affect other Deep Research connectors, including Google Drive, Dropbox, Outlook, Microsoft Teams, GitHub, HubSpot, and Notion.
- Radware contrasted the server‑side nature of ShadowLeak with prior client‑side demonstrations and urged enterprises to monitor agent actions and intent to detect and block exfiltration attempts in real time.