ShadowLeak: zero-click service-side exfiltration from ChatGPT Deep Research

What happened

Radware demonstrated a service-side zero-click attack in which a single crafted email plants hidden instructions that ChatGPT's Deep Research agent follows, autonomously pulling data from a connected Gmail inbox and exfiltrating it from OpenAI's own cloud infrastructure with no user click. OpenAI confirmed a fix in early September 2025.

Root cause

The agent acted on attacker instructions embedded in untrusted email content while holding access to connected data plus an egress path, and because the exfiltration ran server-side it bypassed client-side defenses.

Fix / outcome

OpenAI remediated the Deep Research agent path after disclosure. Distinct from client-side exfil because the leak originated from OpenAI's cloud.

Sources