'ShadowLeak' Attack Enables Data Theft in ChatGPT
Cybersecurity in Artificial Intelligence (AI) platforms has become a growing focus as these tools integrate more deeply into our personal and professional lives. Recently, a significant vulnerability named 'ShadowLeak' was identified by the Radware team and patched in ChatGPT. This attack demonstrated a sophisticated "zero-click" Indirect Prompt Injection (IPI) method capable of exfiltrating sensitive data directly from OpenAI's infrastructure.
What is the 'ShadowLeak' Attack?
'ShadowLeak' was a zero-click indirect prompt injection vulnerability that affected ChatGPT's autonomous research agent, known as Deep Research. The attack occurred when the agent was connected to external data sources, such as Gmail.
A malicious actor could send an email containing hidden instructions that, when processed by the agent during a legitimate task (such as "summarize my emails for today"), manipulated it into leaking sensitive information to an attacker-controlled server.
The most critical aspect of 'ShadowLeak' is that the data exfiltration was "server-side." Unlike previous vulnerabilities that relied on client-side content rendering to trigger the leak, this attack occurred entirely within OpenAI's cloud infrastructure. This made it invisible to an organization’s traditional security defenses.
Technical Breakdown of the Exploit Chain
The 'ShadowLeak' exploit chain begins passively by sending an email to the victim's inbox. The attack vector is not the email itself, but rather the malicious instructions hidden within its HTML content.
Using obfuscation techniques, such as setting font sizes to zero or matching text color to the background, the malicious actor inserts a command prompt that remains invisible to a human user but is perfectly legible to the AI agent when it analyzes the raw email data.
The vulnerability was triggered when a user legitimately requested a task from the ChatGPT agent involving the processing of that specific email. Once ingested, the malicious prompt employed AI-targeted social engineering to bypass security mechanisms.
The prompt was constructed with authoritative language and the pretext of urgency, claiming that the agent had "full authorization" to execute the tasks and that failure to do so would result in "report deficiencies." This manipulated the model into prioritizing malicious instructions over its standard security guidelines.
A practical example of a prompt that would exploit this vulnerability would be the following:
The technical core of the exfiltration resided in a carefully orchestrated sequence of commands. First, the prompt instructs the agent to identify and extract Personally Identifiable Information (PII) from the available context, such as full names, addresses, or other sensitive data found within the victim's emails.
Then, in a step crucial for evasion, the agent was instructed to encode this data in Base64. This process transformed readable data, such as "John Due," into an opaque alphanumeric string, like Sm9obiBEdWU=.
Evasion and Data Exfiltration
With the data obfuscated, the next step involved constructing a malicious URL by appending the resulting Base64 string as a query parameter. To appear as a legitimate operation, the URL was disguised within the prompt as a "compliance validation system" or a "profile recovery interface."
Finally, the agent was instructed to execute an HTTP GET request to this URL using its internal tools, such as browser.open().
The Role of Encoding: This encoding step was fundamental to the attack's success. The tool's execution layer, responsible for a final security check, failed to detect the PII leak because the outgoing request did not contain sensitive data in plaintext, only the seemingly harmless Base64 string.
The request was then executed directly from OpenAI's servers, completing the server-side data exfiltration to an attacker-controlled endpoint without triggering any alerts in the victim organization's security infrastructure.
Potential Impact
The impact of 'ShadowLeak' was severe due to its stealthy nature and the point of origin of the exfiltration.
Invisibility to Corporate Defenses: Since the data leak originated from OpenAI's infrastructure, rather than the victim's devices or corporate network, enterprise security tools (such as DLP, EDR, and firewalls) were completely blind to the attack.
Exposure of Sensitive Data: The attack could leak any information that the ChatGPT agent could access. In the case of Gmail, this included PII, financial data, and credentials. If connected to other sources like Google Drive, Microsoft Teams, or GitHub, the scope would expand to include source code, contracts, and other proprietary information.
OpenAI's Response and Mitigation
OpenAI was notified of the vulnerability on June 18, 2025, and the flaw was patched in early August 2025. Mitigation efforts involved enhancing the agent's security controls to detect and block prompt injection attempts that lead to unauthorized data exfiltration actions.
Conclusion
The 'ShadowLeak' attack represents a milestone in the evolution of AI security threats. It demonstrated that the attack surface has expanded from the client to the server, making detection and prevention significantly more challenging.
As organizations increasingly integrate autonomous AI agents into their workflows, it is imperative to treat them not as mere chatbots, but as privileged systems that require rigorous governance, monitoring, and security controls.
