%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
【AIbase Report】According to Radware security researchers, the AI platform ChatGPT had a critical vulnerability called "ShadowLeak" in its "Deep Research" mode. This vulnerability allowed attackers to silently steal sensitive data such as names and addresses from users' Gmail accounts without their knowledge.
The special aspect of this attack is that it occurred entirely within OpenAI's own cloud infrastructure, leaving no traces and bypassing local security protections such as firewalls. Researchers compared this attack method to "an internal employee manipulated from the outside."
It is understood that the attack started with a carefully disguised email, whose subject appeared ordinary, but the email body embedded malicious instructions using hidden HTML (for example, white background with white text or small font). These instructions would trick the "Deep Research" mode agent to perform the following actions: extract personal data from another email of the user. Or send this data to an external URL controlled by the attacker after encoding it with Base64.
To bypass the agent's built-in security measures, attackers used social engineering techniques to make the agent "believe" it had the authority to perform the task and created a sense of urgency with reasons such as "incomplete report." When the user initiated a "Deep Research" query (for example, "analyze my HR emails today"), the agent would unknowingly process the malicious email and execute the hidden instructions, silently transmitting the data to the attacker's server, with the entire process being completely transparent to the user.
Radware pointed out that the vulnerability was not due to the language model itself, but rather the ability of the agent to execute tools. In particular, the internal function named browser.open() allowed the agent to initiate HTTP requests, becoming the breakthrough point for this attack.
Researchers warned that this attack method is not limited to email. Any platform that processes structured text, such as Google Drive, Outlook, Teams, Notion, or GitHub, may face risks. Malicious instructions can be hidden in meeting invitations, shared PDF files, or chat records, turning regular AI tasks into potential security vulnerabilities.
Radware reported the vulnerability to OpenAI through the Bugcrowd platform on June 18, 2025. OpenAI completed the fix in early August, but it wasn't until September 3rd that they publicly acknowledged and confirmed that the issue had been resolved.
This incident once again highlights the vulnerability of AI agent systems. The core issue lies in "Prompt Injection," where attackers embed hidden instructions in text that users are unaware of. Although this vulnerability has existed for years, there is still no reliable solution. Studies show that almost every AI agent could be compromised, especially those that can access the internet, which are easily manipulated, leading to data leaks or malware downloads. OpenAI CEO Sam Altman has also warned not to delegate high-risk or sensitive tasks to AI agents.