Radware uncovers zero‍-‍click vulnerability in ChatGPT

Cybersecurity solution provider Radware recently announced the discovery of a previously unknown zero-click vulnerability affecting the ChatGPT Deep Research agent. The flaw, dubbed ‘ShadowLeak’, allows attackers to exfiltrate sensitive information from users without any clicks, prompts or visible signs of compromise on the network or endpoint.

The vulnerability, which Radware disclosed to OpenAI under responsible disclosure protocols, demonstrates a new class of attack on AI agents as they continue to gain broad enterprise adoption. These fully covert, automated agent exploits bypass traditional security controls. Radware’s Security Research Center (RSRC) successfully demonstrated that an attacker could exploit the vulnerability by simply sending an email to the user. Once the agent interacted with the malicious email, sensitive data was extracted without victims ever viewing, opening or clicking the message.

“This is the quintessential zero-click attack,” said David Aviv, Chief Technology Officer at Radware. “There is no user action required, no visible cue and no way for victims to know their data has been compromised. Everything happens entirely behind the scenes through autonomous agent actions on OpenAI cloud servers.”

With ShadowLeak, Radware researchers Gabi Nakibly and Zvika Babo (co-lead researchers), with contribution from Maor Uziel, discovered the first purely server-side sensitive data leak. Without any user action (zero-click), ChatGPT’s Deep Research agent, executing in the OpenAI cloud, performed the sensitive data exfiltration autonomously from OpenAI servers. Unlike previously disclosed zero-click attacks, ShadowLeak operates independently and leaves no network level evidence, making these threats nearly impossible to detect from the perspective of the ChatGPT business customer.

“Enterprises adopting AI cannot rely on built-in safeguards alone to prevent abuse,” said Pascal Geenens, Director of Cyber Threat Intelligence at Radware. “Our research highlights that the combination of AI autonomy, SaaS services and integration with customers’ sensitive data sources introduces an entirely new class of risks. AI-driven workflows can be manipulated in ways not yet anticipated, and these attack vectors often bypass the visibility and detection capabilities of traditional security solutions.”

For more information, review Radware’s latest threat advisory and blog article: ‘ShadowLeak: A Zero-Click, Service-Side Attack Exfiltrating Sensitive Data Using ChatGPT’s Deep Research Agent’.

Image credit: iStock.com/Just_Super