Cybersecurity experts at Radware have discovered a vulnerability in the Deep Research chatbot ChatGPT that allowed attackers to steal sensitive data from Gmail with just a single, carefully crafted email, without any user interaction. OpenAI has already released a fix.
Cybersecurity experts at Radware have discovered a vulnerability in the Deep Research chatbot ChatGPT that allowed attackers to steal sensitive data from Gmail with just a single, carefully crafted email, without any user interaction. OpenAI has already released a fix.
This week, cybersecurity firm Radware reported a critical vulnerability in Deep Research, dubbed ShadowLeak, warning that the flaw could have allowed attackers to steal data from mailboxes without any user interaction.
The researchers demonstrated that it was enough to simply send a specially crafted malicious email to a Deep Research user, and when the AI assistant later analyzed the email, it simply stole confidential data, The Register writes .
This attack involves hiding instructions in the HTML code of an email using white text on a white background, CSS tricks, or metadata that the human recipient would never notice. When Deep Research later scans the mailbox, it obediently executes the attacker's hidden commands and sends the message content or other requested data to a server controlled by the attacker.
Radware emphasized that the malicious request is executed from OpenAI's own infrastructure, making it virtually invisible to corporate security tools.
It is this server-side component that makes ShadowLeak particularly dangerous. The user does not have to click on a suspicious link, and there are no suspicious outgoing connections from their laptop. The entire operation takes place in the cloud, and the only trace left is a seemingly innocuous request from the user to ChatGPT asking them to “summarize today’s emails.”
The Radware report warns that attackers could steal personal data, internal memos, legal correspondence, customer records, and even credentials, depending on the contents of the mailbox. The researchers say the risk isn't limited to Gmail. Any integration that allows ChatGPT to collect private documents could be vulnerable to the same trick if the inbound filtering isn't perfect.
Radware said it notified OpenAI of the ShadowLeak bug on June 18, and the company released a fix on September 3.
