SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Ps shadowleak social tile 01
#
Advanced Persistent Threat Protection
#
AI Security
#
Cybersecurity

ShadowLeak exploit exposes ChatGPT users to silent AI data theft

Fri, 19th Sep 2025
Author image
By Melvin Hipolito, Editor

Radware has identified a previously undocumented zero-click, service-side vulnerability in the ChatGPT Deep Research agent that enables attackers to extract user data from OpenAI servers with no user interaction.

The vulnerability, named "ShadowLeak," was discovered by Radware's Security Research Centre (RSRC) and disclosed to OpenAI under responsible disclosure protocols. According to the company's findings, the exploit allows attackers to direct ChatGPT's Deep Research agent to autonomously exfiltrate sensitive information by exploiting server-side logic, entirely bypassing user endpoints and traditional detection measures.

Zero-click exposure

Through demonstration, Radware's researchers showed the ShadowLeak attack could be triggered when an attacker sends a specially crafted email to a user. The recipient does not need to view, open, or click on the message. Once the Deep Research agent handled the message in the background, the attacker's code would extract sensitive data without any visible cues to the victim or evidence left on endpoint or network logs.

This is the quintessential zero-click attack. There is no user action required, no visible cue and no way for victims to know their data has been compromised. Everything happens entirely behind the scenes through autonomous agent actions on OpenAI cloud servers.

The research, conducted by Gabi Nakibly and Zvika Babo as co-lead researchers with contributions from Maor Uziel, distinguishes ShadowLeak from previous zero-click vulnerabilities. Radware asserts this is the first time a purely server-side exfiltration attack has been observed involving an AI agent acting independently in the cloud, rather than involving user devices or traditional web application vulnerabilities. The attack provides no network-level indication that data was accessed or sent outside the server, complicating detection and response for businesses.

Business risk and response

The impact is considered notable for business customers of ChatGPT. Nick Turley, Vice President of Product for ChatGPT, was quoted in an August 2025 interview with CNBC as saying the platform has 5 million paying business users, highlighting a wide potential exposure to this class of exploit if mitigations are not in place.

Enterprises adopting AI cannot rely on built-in safeguards alone to prevent abuse. Our research highlights that the combination of AI autonomy, SaaS services and integration with customers' sensitive data sources introduces an entirely new class of risks. AI-driven workflows can be manipulated in ways not yet anticipated, and these attack vectors often bypass the visibility and detection capabilities of traditional security solutions.

Radware's analysis indicates enterprise security teams must consider server-side AI activity as a threat vector, stressing that traditional endpoint or network-based security solutions might be insufficient.

Industry disclosure and mitigation

Radware reported the ShadowLeak vulnerability to OpenAI on 18 June 2025. OpenAI acknowledged the issue and informed Radware that a fix had been implemented on 3 September 2025. Radware publicly commended OpenAI's cooperation and commitment to the security of the wider ecosystem during the process.

The exploitation technique leverages the autonomous capabilities of AI agents combined with SaaS integration to escalate risks. According to Radware, the attack does not require malware or phishing links; instead, it subtly directs autonomous workflows to retrieve and transmit confidential data directly from integrated data sources in the cloud.

Radware has stated it is providing a full technical breakdown and defence recommendations to the cybersecurity community. The company adds that security leaders and AI developers should evaluate existing safeguards around their AI deployments and SaaS platforms, considering new risks posed by autonomous agent behaviour.

Radware will also be hosting informational sessions to further detail the specifics of the attack and provide advice on securing AI agents in live production environments. All research and recommendations will be made available through Radware Security Research Centre following the event.

The ShadowLeak zero-click vulnerability marks a development in server-side threats involving autonomous AI agents, with implications for how enterprise AI workflows and SaaS integrations are secured and monitored in the future.

Related stories
GlobalLogic, Elektrobit deepen software-defined car push
AI agents race ahead of governance, security & trust
NCC Group, Delinea partner on managed PAM for AI era
SonicWall pushes unified automation for faster cyber defence
Phishing campaign exploits RMM tools for stealthy access

Top stories

UK bill accelerates shift to offensive cyber security
Cyderes names Lana Knop Chief Product Officer for AI push
CrowdStrike gains ISO AI governance boost for Falcon
Integrated Quantum unveils quantum-resilient AI data layer
Check Point unveils AI-ready continuous exposure management