ShadowLeak: Gmail Email Leak Using ChatGPT

Radware experts have described a new indirect prompt injection attack against ChatGPT (similar to one discovered by a Japanese researcher) that allows access to Gmail without user interaction. ShadowLeak exploits the agentive capabilities of the AI ​​assistant called Deep Research. OpenAI has already patched the vulnerability.

ShadowLeak Attack Description

Deep Research can create a detailed report on a specific topic by combining information from multiple sources (it can take up to 30 minutes). To get more relevant answers, it can read your personal content through Gmail and other third-party apps. It is accessible to all consumer and business users.

The indirect prompt injection attack involves sending an email containing hidden instructions (invisible font size or white on a white background) in the HTML code. When the unsuspecting victim asks ChatGPT to analyze emails in Gmail, Deep Research reads the "trap" email and executes the hidden prompt.

In the example shown by Radware, the AI ​​assistant searches for the company employee's personal information (name, address, and other information) and sends it to the URL specified in the instructions, without any user interaction (zero-click). In some cases, ChatGPT didn't execute the prompt. After several attempts, the researchers found a way to bypass the protections, achieving 100% success.

Unlike other similar attacks, ShadowLeak doesn't pass URLs and private data to the client to make the web request. This request is made directly by the AI ​​agent on OpenAI's cloud infrastructure. Gmail was used in the demonstration, but the attack works with other services that can be connected to Deep Research, including Google Drive, Box, Outlook, Teams, and GitHub.