ChatGPT Vulnerabilities Enable Data Exfiltration via ShadowLeak and ZombieAgent
Security researchers at Radware have uncovered critical vulnerabilities in OpenAI's ChatGPT platform, specifically targeting its Connectors and Memory features. These flaws, named ShadowLeak and ZombieAgent, allow attackers to exfiltrate sensitive data from connected services such as Gmail, Outlook, and GitHub without user interaction. The attacks exploit the AI's tendency to follow embedded malicious instructions, enabling zero-click and one-click data theft, persistent access through memory modification, and even propagation to other users by harvesting email addresses. OpenAI initially attempted to mitigate these vulnerabilities by restricting dynamic URL modifications, but researchers demonstrated effective bypasses using pre-built static URLs, reviving the threat under the new moniker ZombieAgent.
The vulnerabilities highlight the inherent risks of integrating AI assistants with external systems and storing long-term user data for personalization. Attackers can embed hidden prompts in emails or files—using techniques like white text or tiny fonts—that are executed when ChatGPT processes the content, leading to stealthy data leaks via OpenAI's own servers. Despite OpenAI's efforts to patch the flaws, the reactive nature of these fixes has left the platform susceptible to new variants, underscoring the ongoing challenge of securing AI-driven services against prompt injection and data exfiltration attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose ShadowLeak and ZombieAgent findings
Multiple outlets reported Radware's public disclosure of the ShadowLeak and ZombieAgent attacks, detailing how ChatGPT could be abused to exfiltrate sensitive data and plant persistent memory entries. The reports emphasized that OpenAI had patched specific issues but that systemic weaknesses in agentic AI security remained unresolved.
OpenAI deploys broader fixes for ShadowLeak and ZombieAgent issues
OpenAI addressed the full set of reported issues with additional mitigations on December 16, 2025. The fixes targeted the connector and memory abuse techniques Radware had demonstrated, though researchers said underlying prompt-injection risks remained.
Radware reports broader ChatGPT connector and memory issues to OpenAI
Radware disclosed the fuller set of vulnerabilities to OpenAI in September, including techniques for persistent memory manipulation, server-side exfiltration, and organizational propagation. The report showed attackers could leak data, alter stored information, and create worm-like spread through connected services.
Radware finds ZombieAgent bypass of OpenAI's initial mitigations
After OpenAI's first fix, Radware discovered a bypass called ZombieAgent that revived the data-exfiltration risk. The new technique used static URLs and abused ChatGPT's memory and connectors to enable stealthy, persistent, zero-click or one-click attacks.
OpenAI patches ShadowLeak after responsible disclosure
Following Radware's disclosure, OpenAI implemented a fix for the ShadowLeak issue by restricting dynamic URL modification and related attack paths. The mitigation was intended to stop prompt-injection-driven data exfiltration through ChatGPT connectors.
Radware discovers ShadowLeak prompt-injection flaw in ChatGPT
Radware identified an initial vulnerability, dubbed ShadowLeak, in ChatGPT's Deep Research and connector functionality. The flaw allowed hidden prompts in connected content and services to trigger unauthorized actions and leak sensitive data from sources such as Gmail, Outlook, Google Drive, and GitHub.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ZombieAgent ChatGPT attack shows persistent data leak risks of AI agents
csoonline.com
Open sourceChatGPT falls to new data-pilfering attack as a vicious cycle in AI continues
arstechnica.com
Open sourceOpenAI putting bandaids on bandaids as prompt injection problems keep festering
go.theregister.com
Open sourceNew ChatGPT Flaws Allow Attackers to Exfiltrate Sensitive Data from Gmail, Outlook, and GitHub
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Prompt Injection and Data Leakage Vulnerabilities in OpenAI's ChatGPT and Atlas Browser
Tenable Research has identified seven novel vulnerabilities and attack techniques in OpenAI's ChatGPT, including indirect prompt injections, exfiltration of user data, and bypasses of safety mechanisms in the latest GPT-5 model. These vulnerabilities allow attackers to manipulate the large language model (LLM) through crafted inputs, potentially leading to the theft of private information from user memories and chat histories, even when users simply interact with ChatGPT. The research highlights that hundreds of millions of users could be at risk, as attackers can exploit these weaknesses to bypass safeguards and extract sensitive data without user awareness. The release of OpenAI's ChatGPT Atlas, an AI-powered browser that remembers user activities and acts autonomously, further amplifies these concerns. Security experts warn that features such as persistent memory and autonomous actions increase the attack surface, making the browser susceptible to prompt injection and other AI-specific vulnerabilities. The implications for enterprise security and privacy are significant, as these AI-driven tools become more integrated into business processes, necessitating new approaches to identity management, access controls, and oversight to mitigate the risks posed by advanced AI-enabled attacks.
Jun 29, 2026
ChatGPT Prompt Injection and Privacy Exposure Vulnerabilities
Tenable security researchers identified seven new methods to extract private data from ChatGPT chat histories, primarily through indirect prompt injection attacks that exploit default features such as conversation memory and web search capabilities. These vulnerabilities, present in the latest GPT-5 model, allow attackers to embed malicious instructions in web content, which can then be processed by ChatGPT's intermediary model, SearchGPT, during browsing or search operations. The architectural separation between ChatGPT and SearchGPT was intended to limit such risks, but researchers demonstrated that prompt injection remains a viable attack vector, potentially exposing sensitive user information without their knowledge. Separately, a privacy incident was uncovered where highly sensitive ChatGPT user prompts were found leaking into Google Search Console reports, exposing private conversations to website administrators. Investigators suggested this may have resulted from OpenAI scraping Google Search with actual user prompts, though OpenAI only confirmed a temporary glitch affecting query routing and stated the issue was resolved. These incidents highlight ongoing privacy and security challenges in large language model deployments, especially regarding prompt handling, web integration, and the safeguarding of user data.
Jun 29, 2026
OpenAI Adds ChatGPT Lockdown Mode and Elevated Risk Labels to Reduce Prompt-Injection Exfiltration
OpenAI introduced **Lockdown Mode** and **Elevated Risk** labels in *ChatGPT* to reduce exposure to **prompt injection** and related data-exfiltration risks when AI features interact with external systems. Lockdown Mode is positioned as an optional, advanced setting for higher-risk users and environments (notably *ChatGPT Enterprise*, *Edu*, *for Healthcare*, and *for Teachers*) that restricts tool access and limits how ChatGPT can reach outside systems; reported controls include disabling or constraining capabilities attackers could abuse via conversations or connected apps, and limiting browsing so that no live network requests leave OpenAI-controlled infrastructure (with browsing constrained to cached content). Admins can enable the setting via workspace controls and apply additional restrictions through dedicated roles, while Elevated Risk labels provide in-product warnings and guidance for features that increase risk when connecting to apps or the web, including across *ChatGPT*, *ChatGPT Atlas*, and *Codex*. Separate research highlighted how AI assistants with web-browsing/URL-fetching features can be abused as stealthy **command-and-control (C2) relays**, demonstrating a technique against **Microsoft Copilot** and **xAI Grok** that tunnels operator commands and victim data through legitimate AI web interfaces and can work without an API key or registered account. In parallel, the **European Parliament** reportedly disabled built-in AI tools on lawmakers’ work devices due to cybersecurity and privacy concerns about uploading sensitive correspondence to third-party cloud AI providers and uncertainty about what data is shared and retained. Other referenced material focused on general productivity customization of ChatGPT via “Custom Instructions,” rather than a specific security event or disclosure.
Jun 29, 2026