Indirect Prompt InjectionHigh

ChatGPT Operator zero-interaction data exfiltration

February 2025  ·  OpenAI ChatGPT Operator

What happened

Hidden instructions planted on a web page could hijack Operator as it browsed, causing it to navigate to attacker pages and leak PII from authenticated sessions with no user interaction.

Root cause

The agent followed links and interacted with form fields on untrusted pages without sufficient scrutiny, treating page content as instructions.

Fix / outcome

Demonstrated to OpenAI; mitigations reduce but do not eliminate the risk. The researcher framed agents as potential "malicious insiders."

Sources

Simon Willison: The Summer of Johann

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database