ChatGPT's ShadowLeak Vulnerability: A Stealthy Gmail Data Theft

Security researchers have uncovered a critical vulnerability in ChatGPT's 'Deep Research' mode, enabling attackers to silently extract sensitive data from users' Gmail accounts. Dubbed 'ShadowLeak,' this flaw exploited OpenAI's own cloud infrastructure, making it nearly undetectable by traditional security measures.

How the Attack Worked

The attack began with a carefully disguised email containing hidden HTML instructions. These directives tricked ChatGPT's Deep Research agent into extracting personal data—such as names and addresses—from other emails in the user's inbox. The stolen information was then encoded using Base64 and sent to an external server controlled by the attacker.

Key to the attack's success was social engineering. Attackers manipulated the agent into believing it had authorization to perform the task, often citing urgent reasons like "incomplete reports." When users initiated a Deep Research query (e.g., "analyze my HR emails today"), the agent unknowingly executed malicious commands without alerting the user.

The Root Cause: Tool Execution Flaws

Radware researchers clarified that the vulnerability did not stem from ChatGPT's language model itself, but rather from its ability to execute tools. Specifically, an internal function called browser.open() allowed the agent to initiate HTTP requests, creating an entry point for exploitation.

Broader Implications Beyond Email

The researchers warned that this attack method isn't limited to Gmail. Any platform processing structured text—such as Google Drive, Outlook, Teams, or GitHub—could be at risk. Malicious instructions could hide in meeting invites, shared PDFs, or chat logs, turning routine AI tasks into security liabilities.

OpenAI's Response and Fixes

Radware reported the issue to OpenAI via Bugcrowd on June 18, 2025. By early August, OpenAI had implemented a fix but only publicly acknowledged resolving the problem on September 3rd.

The Persistent Threat of Prompt Injection

The incident underscores the fragility of AI agent systems, particularly against Prompt Injection attacks. These exploits embed hidden commands in seemingly benign text, bypassing user awareness. Despite years of awareness, no foolproof solution exists. Studies indicate nearly all internet-connected AI agents are vulnerable to manipulation leading to data leaks or malware downloads.

Even OpenAI CEO Sam Altman has cautioned against delegating high-risk tasks to AI agents.

Key Points:

• ShadowLeak exploited ChatGPT’s Deep Research mode to steal Gmail data silently.
• Attackers used social engineering and hidden HTML instructions to bypass safeguards.
• The flaw lay in tool execution capabilities (browser.open() function), not the language model itself.
• Risks extend beyond email to platforms like Google Drive and GitHub.
• OpenAI patched the vulnerability after a delayed public acknowledgment.