Researchers have found a zero-click vulnerability in ChatGPT’s Deep Research agent when it is connected to Gmail and other external services. The vulnerability, known as ShadowLeak, is a class of prompt injection attacks that target AI agents with access to external tools.
Launched in February, Deep Research is an agent designed to synthesize large volumes of online information and handle multi-step research tasks. Unlike standard ChatGPT, which gives quick answers, it searches the web, analyzes complex questions, and compiles structured, in-depth reports.
The tool is also capable of generating reports based on emails, in which case the user must grant it access to their Gmail account.
The attack begins when the attacker sends an HTML email disguised as a normal HR message, with hidden instructions concealed in part through white-on-white text so the user cannot see them. These instructions direct the agent to search the inbox for personal data, format it into a URL, and send it to an external server that is controlled by the attacker.
To appear legitimate, the email frames the server as an official compliance system, claims the agent is authorized to access external URLs, and provides a clear example of how to insert the data. It also instructs the agent to retry if needed, be creative in reaching the endpoint, and encode the data in Base64 to hide it in transit and server logs.
Attacker’s Email
Source: Radware
For the attack to succeed, there must be real Personally Identifiable Information (PII) in the mailbox, such as names, addresses, phone numbers, or employee IDs.
The attack activates when a user requests the agent to analyze or summarize emails. At that point, the agent aggregates text from multiple messages into its task context, and any hidden instructions in a malicious email can be executed without additional confirmation. The agent then extracts the identified PII and sends it to the attacker-controlled server.
Attack Flow
Source: Radware
While the researchersโ proof of concept focused on Gmail, the attack can target any Deep Research connector that handles structured or semi-structured text, including cloud storage platforms like Dropbox, email and calendar services like Outlook, collaboration and CRM tools like Notion, and developer platforms like GitHub.
OpenAI has since addressed and resolved the issue.
Radware researchers recommend continuously monitoring the agentโs behaviour, keeping track of its actions, and ensuring that its outputs remain aligned with the userโs original goals. This real-time oversight ensures that any attempts to manipulate the agent are detected and blocked before they can cause harm.
In addition, enterprises should adopt best practices such as least-privilege techniques to limit the tools an AI agent can access, and regular red-teaming to identify vulnerabilities early.
About the author:
