OpenAI Patches “ShadowLeak,” a Zero-Click Flaw in Deep Research Agent

OpenAI has patched a critical vulnerability known as ShadowLeak, which allowed its cloud-based agent Deep Research to silently siphon personal data from connected sources and exfiltrate it to external servers—even without the victim opening a malicious email. The zero-click exploit was discovered by researchers at Radware, who promptly disclosed it to the company.

Deep Research was designed as an autonomous information-gathering tool: it scans the web, email, and documents to generate detailed reports. Researchers demonstrated that an attacker could embed hidden instructions inside an email—such as commands written in white font or rendered in minuscule text size—tricking the agent into extracting names and addresses, encoding them, and transmitting the data through its internal browser.open() function to a rogue “compliance” service. The pivotal technique lay in the model’s preprocessing: it converted sensitive values into Base64 strings, after which the execution layer issued a standard HTTP request to an external domain. The entire exfiltration occurred within the service infrastructure, invisible to both the end user and corporate gateways.

The service-level nature of the leak made it especially dangerous: traditional defenses—including proxies and monitoring systems—cannot detect actions initiated entirely within a cloud environment, while users receive no visual cues of unauthorized access. Researchers stressed that the method was not limited to Gmail but could also affect connectors such as Google Drive, Dropbox, SharePoint, GitHub, messaging apps, and enterprise systems—anywhere the agent processed structured or semi-structured text. This opened the door to the theft of contracts, meeting notes, and client databases.

As countermeasures, the authors recommend pre-sanitizing incoming data—normalizing HTML, stripping invisible styles, and removing obfuscated characters—along with tighter oversight of agent activity: verifying whether outbound calls align with the user’s original task, monitoring secondary requests, and enforcing strict allowlists of permitted domains.

They further advise restricting autonomous HTTP execution capabilities within agents and improving transparency of their operations for administrators. Radware submitted its report to OpenAI via BugCrowd on June 18. OpenAI issued a fix in early August and confirmed full remediation on September 3.

Experts emphasize that ShadowLeak exemplifies a new class of attacks on autonomous agents, where hidden prompts and social engineering transform a helpful assistant into a covert data-exfiltration channel. They urge organizations to reconsider their trust models for cloud-based assistants and to strengthen local content-validation processes.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy