Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

ShadowLeak Arrives: A 0-Click Bug in ChatGPT Leads to Sensitive Data Exfiltration

Redazione RHC : 19 September 2025 07:39

A new threat is beginning to emerge in the IT world: the world of artificial intelligence agents.

ShadowLeak is a recently discovered clickless indirect prompt injection (IPI) vulnerability that occurs when OpenAI’s ChatGPT is connected to corporate Gmail and allowed to browse the web.

How ShadowLeak Works

The attack, discovered by Radware, exploits the vulnerability by sending a legitimate-looking email that silently embeds malicious instructions in invisible or non-obvious HTML code. When an employee asks the assistant to “recap today’s emails” or “search my inbox for a topic,” the agent captures the booby-trapped message and, without further user interaction, exfiltrates sensitive data by calling an attacker-controlled URL with private parameters (e.g., names, addresses, and internal and sensitive information).

It’s important to note that the web request is executed by the agent in OpenAI’s cloud infrastructure, which causes the data leak to originate directly from OpenAI’s servers. Unlike previously disclosed indirect prompt injection vulnerabilities, the malicious request and private data never pass through the ChatGPT client. As a result, the affected organization no longer has any obvious traces to monitor or forensic evidence to analyze at its borders.

This class of exploits aligns with the broader risks described in the emerging Internet of Agents: autonomous artificial intelligence that uses different tools and operates on different protocols and services. As organizations integrate these assistants into inboxes, CRMs, HR systems, and SaaS, business risk shifts from “what the model says” to “what the agent does.”

Social Engineering for People Applied to Machines

The attacker’s cunning extends to social engineering for machines as well as for people.

In repeated runs, reports Radware, the attack worked about half the time with a simple prompt and a simple exfiltration URL, such as https://hr-service.net/{params}. A determined adversary using better prompts and a domain that reflects the intent of the malicious prompt can achieve much better results.

In testing, success rates improved significantly when urgency was added to the prompt prompt and the exfiltration endpoint was made similar to a compliance check with an employee directory lookup endpoint: https://compliance.hr-service.net/public-employee-lookup/{params}.

The agent’s internal reasoning now treats the malicious prompt as part of an urgent HR compliance task.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli