Cybersecurity researchers have revealed a zero-click attack called ShadowLeak, exploiting a flaw in OpenAI ChatGPT’s Deep Research to leak sensitive Gmail data without user interaction. The vulnerability involves hidden prompt injections within emails that instruct the AI to exfiltrate personal information directly from cloud infrastructure. #ShadowLeak #OpenAIDeepResearch
Keypoints
- A zero-click flaw in ChatGPT’s Deep Research allows data leaks through indirect prompt injections.
- The ShadowLeak attack is executed via hidden instructions embedded in malicious emails.
- The attack bypasses local defenses by leaking data directly from OpenAI’s cloud infrastructure.
- Any connector supported by ChatGPT, like Google Drive or SharePoint, can be targeted, expanding the attack surface.
- The vulnerability was responsibly disclosed and addressed by OpenAI in August 2025.
Read More: https://thehackernews.com/2025/09/shadowleak-zero-click-flaw-leaks-gmail.html