Overview

• Radware detailed a zero-click technique that used hidden email instructions to make the Deep Research agent send inbox PII to an attacker-controlled URL from OpenAI’s servers.
• The exfiltration ran from provider infrastructure, leaving no traces in the ChatGPT client and evading typical endpoint or network defenses.
• OpenAI received the report on June 18 via Bugcrowd, deployed a fix in early August, and acknowledged resolution on September 3 before public disclosures on September 18.
• The proof-of-concept targeted Gmail, and researchers cautioned that connectors such as Google Drive, Dropbox, Outlook, Microsoft Teams, GitHub, HubSpot, and Notion could enable similar leaks.
• Radware confirmed the demonstrated attack no longer works and advised HTML sanitization, outbound request restrictions, and continuous monitoring with intent-alignment checks for agents.