Particle.news
Download on the App Store
14 ARTICLES
·
yesterday

OpenAI Patches 'ShadowLeak' After Radware Shows Zero-Click Data Theft From ChatGPT Deep Research

The proof-of-concept exfiltrated Gmail PII from OpenAI’s cloud, exposing a wider class of service-side risks for autonomous, connector-enabled agents.

Image
ChatGPT Security Flaw
Radware tricks ChatGPT's Deep Research into Gmail data leak
Image

Overview

  • Radware’s research used hidden HTML prompt injections to steer the Deep Research agent to extract names and addresses and send them to an attacker-controlled endpoint via browser.open, with base64 encoding to bypass checks.
  • The issue was reported to OpenAI on June 18 via Bugcrowd, fixed in early August, and marked resolved on September 3, with technical details published this week.
  • Radware and multiple outlets report no evidence of real-world exploitation before the fix, and the published proof-of-concept no longer works.
  • Because the exfiltration originated from OpenAI infrastructure, the leak left no traces on user devices and evaded typical endpoint or gateway defenses.
  • Researchers warn similar service-side manipulations could target other Deep Research connectors such as Google Drive, Dropbox, Outlook, Teams, GitHub, HubSpot, and Notion, recommending input sanitization, tighter tool permissions, comprehensive logging, and continuous agent-intent monitoring.