Post

ShadowLeak Exploit Exposed Gmail Data Through ChatGPT Agent

Posted
By ictsec.pl
1 min read

A team of security researchers from Cloud Security Solutions provider, Radware, found a way to trick a popular AI tool into giving up a user’s private information. The team, including lead researchers Zvika Babo and Gabi Nakibly, discovered a flaw in OpenAI’s ChatGPT Deep Research agent, a tool that autonomously browses the internet and user documents to create reports. They demonstrated how the agent could be tricked into leaking private data from a user’s Gmail account without their knowledge.

The researchers named the flaw ShadowLeak, describing it as a “zero-click” attack (an attack triggered without the user needing to click on anything), hidden inside a normal-looking email with invisible commands. When a user tells the Deep Research agent to scan their emails, it reads the hidden instructions and, “without user confirmation and without rendering anything in the UI,” sends the user’s private data to a location controlled by the attacker.

Unlike past 0-click vulnerabilities like AgentFlayer and EchoLeak, which relied on a user’s web browser, this new method works directly from inside OpenAI’s cloud servers. The researchers called this service-side exfiltration, which makes it much harder to detect with normal security software because it operates entirely behind the scenes. According to the report, it is also “invisible to the user,” as nothing is displayed or rendered.

The attack uses a method called indirect prompt injection, where malicious commands are hidden inside the data an AI model is designed to process, like an email, and are executed without the user’s knowledge. The malicious email, which could be titled “Restructuring Package – Action Items,” pretends to be a normal message. Inside, invisible code instructs the agent to find sensitive information and send it to a fake “public employee lookup URL.” The email uses social engineering tricks like asserting “full authorisation” and creating a false sense of urgency to bypass the agent’s safety checks.

To read the complete article see: Hack Read 😊

RESEARCH
EMAIL SECURITY GMAIL CHATGPT
This post is licensed under CC BY 4.0 by the author.