A zero-click vulnerability named ShadowLeak was discovered in OpenAI’s ChatGPT Deep Research tool in June 2025, allowing hackers to steal Gmail data without any user interaction. Attackers embedded hidden prompts (via white-on-white text, tiny fonts, or CSS tricks) in seemingly harmless emails. When users asked the AI agent to analyze their Gmail inbox, the tool unknowingly executed malicious commands, exfiltrating sensitive data to an external server within OpenAI’s cloud bypassing antivirus and firewalls. The flaw was patched in August 2025, but experts warn of similar risks as AI integrations expand across platforms like Gmail, Dropbox, and SharePoint. The attack exploited AI’s trust in encoded instructions (e.g., Base64 data disguised as security measures) and demonstrated how context poisoning could silently bypass safeguards. Google confirmed data theft by a known hacker group, highlighting the threat of AI-driven exfiltration in third-party app ecosystems.
Source: https://www.aol.com/articles/ai-flaw-leaked-gmail-data-150027451.html
TPRM report: https://www.rankiteo.com/company/openai
"id": "ope2892428101825",
"linkid": "openai",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Artificial Intelligence',
'location': 'San Francisco, California, USA',
'name': 'OpenAI',
'type': 'Technology Company (AI)'},
{'customers_affected': 'Unknown (Potentially All Gmail '
'Users with ChatGPT Deep '
'Research Integration)',
'industry': 'Internet Services',
'location': 'Global',
'name': 'Google (Gmail Users)',
'type': 'Technology Company (Cloud/Email)'}],
'attack_vector': ['Hidden Prompts in Emails (White-on-White Text, Tiny Fonts, '
'CSS Tricks)',
'AI Agent (ChatGPT Deep Research) Misuse',
'Base64-Encoded Data Exfiltration via Malicious URL',
'Cloud-Based Exploitation (Bypassing Local Defenses)'],
'customer_advisories': ['Users advised to audit AI tool integrations (e.g., '
'ChatGPT plugins) and remove unnecessary connections.',
'Warnings issued about analyzing unverified '
'emails/documents with AI agents.',
'Guidance provided on recognizing hidden prompt '
'techniques (e.g., invisible text).'],
'data_breach': {'data_exfiltration': ['Base64-Encoded Data Sent to External '
'Server via Malicious URL'],
'personally_identifiable_information': ['Potential (Dependent '
'on Email Content)'],
'sensitivity_of_data': 'High (Email Communications May '
'Include Sensitive Personal/Business '
'Data)',
'type_of_data_compromised': ['Email Content',
'Potentially Attachments',
'Personally Identifiable '
'Information (PII) if Present in '
'Emails']},
'date_detected': '2025-06',
'date_publicly_disclosed': '2025-08',
'date_resolved': '2025-08',
'description': "Hackers exploited a zero-click vulnerability in ChatGPT's "
"Deep Research tool, dubbed 'ShadowLeak,' to steal Gmail data "
'without requiring user interaction. The attack involved '
'embedding hidden instructions in emails (using white-on-white '
'text, tiny fonts, or CSS tricks) that were executed when the '
"AI agent analyzed the user's Gmail inbox. The compromised "
'agent then exfiltrated sensitive data to an external server '
"within OpenAI's cloud environment, bypassing local defenses "
'like antivirus or firewalls. The vulnerability was discovered '
'by Radware in June 2025 and patched by OpenAI in early August '
'2025. The attack highlights risks in AI integrations with '
'third-party platforms like Gmail, Dropbox, and SharePoint, '
'where hidden prompts can manipulate AI behavior without user '
'awareness.',
'impact': {'brand_reputation_impact': ['Negative Publicity for OpenAI and '
'Google',
'Erosion of Trust in AI Security for '
'Email Management'],
'data_compromised': ['Gmail Data',
'Potentially Google Drive/Dropbox Data (if '
'integrated)'],
'identity_theft_risk': ['High (Exfiltrated Gmail Data Could '
'Include PII)'],
'operational_impact': ['Loss of Trust in AI-Assisted Email '
'Analysis',
'Increased Scrutiny of Third-Party AI '
'Integrations'],
'systems_affected': ['ChatGPT Deep Research Agent',
'OpenAI Cloud Environment',
'Gmail (via Third-Party Integration)']},
'initial_access_broker': {'entry_point': 'Hidden Prompts in Emails (Analyzed '
'by ChatGPT Deep Research Agent)',
'high_value_targets': ['Gmail Inboxes',
'Google Drive/Dropbox (if '
'Integrated)']},
'investigation_status': 'Resolved (Patch Deployed)',
'lessons_learned': ['AI integrations with third-party apps (e.g., Gmail) '
'introduce high-risk attack surfaces.',
'Hidden prompts (e.g., white-on-white text) can bypass '
'user awareness and traditional defenses.',
'Cloud-based AI exploits evade local security tools like '
'antivirus and firewalls.',
'Over-permissive AI agent capabilities (e.g., browser '
'tools, data exfiltration) require stricter controls.',
'Prompt injection vulnerabilities may resurface as AI '
'adoption grows.'],
'motivation': ['Data Theft',
'Exploitation of AI Trust Mechanisms',
'Demonstration of Cloud-Based Attack Capabilities'],
'post_incident_analysis': {'corrective_actions': ['OpenAI patched the Deep '
'Research tool to sanitize '
'hidden prompts (August '
'2025).',
'Recommended restricting AI '
'agent access to sensitive '
'third-party apps.',
'Enhanced monitoring for '
'anomalous AI-driven data '
'exfiltration.',
'Public awareness campaigns '
'about zero-click AI '
'exploits.'],
'root_causes': ['Lack of input validation for '
'hidden commands in AI-analyzed '
'content.',
'Overly permissive third-party app '
'access for AI agents.',
'Insufficient sandboxing of AI '
"browser tools within OpenAI's "
'cloud environment.',
'Assumption that AI agents would '
'ignore non-visible or obfuscated '
'prompts.']},
'recommendations': ['Disable unused AI integrations (e.g., Gmail, Google '
'Drive, Dropbox) to reduce attack surface.',
'Limit personal data exposure online to mitigate '
'cross-referencing risks in breaches.',
'Use data removal services to erase personal information '
'from public databases.',
'Avoid analyzing unverified/suspicious content with AI '
'tools to prevent hidden prompt execution.',
'Enable automatic updates for AI platforms (OpenAI, '
'Google) to patch vulnerabilities promptly.',
'Deploy strong antivirus software with real-time threat '
'detection for AI-driven exploits.',
'Implement layered security (e.g., browser updates, '
'endpoint protection, email filtering).',
'Monitor AI agent activities for anomalous behavior '
'(e.g., unexpected data exfiltration).',
'Restrict AI agent permissions to minimize potential '
'damage from prompt injection.'],
'references': [{'date_accessed': '2025-08',
'source': 'Radware Research Report'},
{'date_accessed': '2025-08',
'source': "Fox News - 'AI flaw leaked Gmail data before "
"OpenAI patch'"},
{'date_accessed': '2025-08',
'source': "CyberGuy.com - 'Hacker Exploits AI Chatbot in "
"Cybercrime Spree'",
'url': 'https://www.cyberguy.com/newsletter'},
{'date_accessed': '2025',
'source': 'SPLX Research (Dorian Schultz) - CAPTCHA Bypass '
'via AI Context Poisoning'}],
'response': {'communication_strategy': ['Public Disclosure by OpenAI and '
'Radware',
'Media Coverage (Fox News, '
'CyberGuy.com)'],
'containment_measures': ['OpenAI Patch for Deep Research Tool '
'(August 2025)',
'Disabling Vulnerable Integrations '
'(Recommended)'],
'enhanced_monitoring': ['Recommended for AI Agent Activities'],
'incident_response_plan_activated': True,
'remediation_measures': ['Input Sanitization for Hidden Prompts',
'Restricting AI Agent Access to '
'Third-Party Apps'],
'third_party_assistance': ['Radware (Discovery and Analysis)']},
'stakeholder_advisories': ['OpenAI: Recommended disabling unused integrations '
'and updating security settings.',
'Google: Advised users to review third-party app '
'permissions for Gmail.',
'Radware: Published technical details and '
'mitigation strategies for enterprises.'],
'title': "ShadowLeak: Zero-Click Vulnerability in ChatGPT's Deep Research "
'Tool Exploited to Steal Gmail Data',
'type': ['Data Breach',
'Prompt Injection',
'Zero-Click Exploit',
'AI Manipulation'],
'vulnerability_exploited': ["Zero-Click Prompt Injection in ChatGPT's Deep "
'Research Tool',
'Lack of Input Sanitization for Hidden Commands',
'Over-Permissive Third-Party App Access (Gmail, '
'Google Drive, Dropbox)',
'Context Poisoning in AI Conversation History']}