Security researchers just revealed how they turned OpenAI's ChatGPT into a digital pickpocket, using the company's own Deep Research tool to silently steal sensitive data from Gmail inboxes. The attack, dubbed Shadow Leak, exploited a vulnerability that let hackers plant invisible instructions in emails and wait for users to unknowingly trigger the data heist.
OpenAI's vision of helpful AI agents just got a reality check. Security researchers at Radware have demonstrated how they turned ChatGPT's Deep Research tool into an unwitting accomplice for data theft, revealing a vulnerability that could affect millions of enterprise users relying on AI agents for productivity.
The attack, called Shadow Leak, exploits the very feature that makes AI agents so appealing - their ability to act autonomously on behalf of users. Deep Research, which launched earlier this year as part of ChatGPT's expanding toolkit, can browse the web, access emails, and perform research tasks without constant human oversight. But that independence became its Achilles' heel.
Here's how the digital heist worked: Radware researchers planted a malicious prompt injection inside an email sent to a Gmail inbox that Deep Research had been authorized to access. The hidden instructions, invisible to human eyes through techniques like white text on white backgrounds, waited dormant like a digital time bomb. When the victim next used Deep Research for legitimate work, the AI agent would encounter these secret commands and begin exfiltrating HR emails, personal details, and other sensitive information to the attackers.
"This process was a rollercoaster of failed attempts, frustrating roadblocks, and, finally, a breakthrough," the Radware researchers told The Verge. The admission reveals just how sophisticated these prompt injection attacks have become - and how difficult they are for companies to defend against without prior knowledge of specific exploits.
What makes Shadow Leak particularly dangerous is where it executes. Unlike traditional security breaches that leave traces on corporate networks, this attack runs entirely on OpenAI's cloud infrastructure. "This makes it invisible to standard cyber defenses," the researchers noted, essentially creating a blind spot in enterprise security monitoring.
The implications stretch far beyond Gmail. Radware warned that the same technique could target other applications connected to Deep Research, including Outlook, GitHub, Drive, and Dropbox. "The same technique can be applied to these additional connectors to exfiltrate highly sensitive business data such as contracts, meeting notes or customer records," they explained.
