""The attack utilizes an indirect prompt injection that can be hidden in email HTML (tiny fonts, white-on-white text, layout tricks) so the user never notices the commands, but the agent still reads and obeys them," security researchers Zvika Babo, Gabi Nakibly, and Maor Uziel said. "Unlike prior research that relied on client-side image rendering to trigger the leak, this attack leaks data directly from OpenAI's cloud infrastructure, making it invisible to local or enterprise defenses.""
"In the attack detailed by Radware, the threat actor sends a seemingly harmless-looking email to the victim, which contains invisible instructions using white-on-white text or CSS trickery that tell the agent to gather their personal information from other messages present in the inbox and exfiltrate it to an external server."
A vulnerability codenamed ShadowLeak enabled a zero-click data-exfiltration attack against ChatGPT Deep Research. The flaw used indirect prompt injection embedded in email HTML (tiny fonts, white-on-white text, layout tricks) that the agent parsed and executed. The attack extracted personal information directly from OpenAI's cloud infrastructure, bypassing local and enterprise defenses. A malicious email could instruct the agent to collect other inbox messages and send Base64-encoded data to an external server via the browser.open() tool. Responsible disclosure occurred on June 18, 2025, and the issue was patched by OpenAI in early August.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]