ShadowLeak Zero-Click Flaw — Threat Analysis Report By CyberDudeBivash • Date: September 20, 2025 (IST)

-

 


Executive Summary

ShadowLeak is a newly disclosed zero-click, service-side data-exfiltration flaw impacting ChatGPT’s Deep Research agent when it is connected to Gmail (and, by pattern, other connectors). A single crafted email with hidden HTML instructions can silently coerce the agent to leak inbox data to an attacker—without the user clicking anything and without traffic leaving the enterprise network, because the exfiltration occurs from OpenAI’s cloud infrastructure. OpenAI received a private report June 18, 2025 and fixed the issue in early August; public write-ups were posted September 18–20, 2025. There’s no evidence of in-the-wild abuse as of disclosure. Radware+2The Record from Recorded Future+2

Why it matters: Traditional controls (SEG, SWG, EDR) don’t see the leak; the agent acts as a trusted “delegate” and exfiltrates directly from the provider side. Treat agentic AI as privileged actors with scoped permissions, input sanitization, action logging, and strict tool/URL governance. Radware+1

What ShadowLeak Is (Concise)

  • Class: Zero-click Indirect Prompt Injection (IPI) against an agent with Gmail + browsing tools. Radware

  • Trigger: Hidden instructions in an attacker email (e.g., white-on-white text, tiny font) are ingested when a user later asks the agent to “summarize today’s emails,” etc. Radware

  • Action: The agent uses its tool (e.g., browser.open) to call an attacker-controlled URL, appending PII (often Base64-encoded) harvested from inbox messages. No user click; no client render. Radware

  • Uniqueness: Service-side leak from OpenAI’s infra; earlier IPI demos (e.g., EchoLeak/AgentFlayer) were client-side. Radware

  • Status: Patched by OpenAI (fixed early Aug; marked resolved Sept 3). No observed in-the-wild exploitation at disclosure. The Record from Recorded Future

Affected Configurations

  • Required: ChatGPT Deep Research enabled with Gmail access and browsing/tooling permitted. Radware

  • Likely generalization: Same attack pattern can target other connectors (Google Drive, Box/Dropbox, Notion, SharePoint, Outlook, GitHub, etc.) because the primitive is “hidden instructions in ingested content → agent makes backend web call.” The Hacker News

Attack Chain (Kill-Chain View)

  1. Plant a convincing email; embed hidden instructions in HTML/CSS. Radware

  2. User later asks the agent to digest inbox (routine task).

  3. Agent parses the attacker email + real HR/finance mail, extracts PII, and calls a fake “compliance” endpoint with that data (often Base64). Prompts may add urgency/authority to push execution. Radware

  4. Exfiltration happens from OpenAI servers, bypassing enterprise egress visibility. Radware

Business Impact

  • Silent loss of PII/PHI, contracts, legal strategy, deal terms; potential GDPR/CCPA/SEC exposure; reputational harm. Radware

  • Audit & forensics pain: actions/logs reside outside enterprise systems (provider-side), so traditional IR tooling lacks visibility. Radware

Timeline (2025)

  • June 18: Vulnerability reported to OpenAI (Bugcrowd).

  • Early August: Fix deployed; Sept 3 marked resolved.

  • Sept 18–20: Public disclosures (Radware blog/advisory; press). No in-the-wild exploitation reported by the researchers. The Record from Recorded Future

Detection & Telemetry (What You Can See)

Because exfiltration originates from the provider side, focus on content ingress and agent actions:

Signals to pursue

  • Gmail/Workspace: locate inbound emails with suspicious hidden HTML (white-on-white, 1px fonts, offscreen CSS). Use safe HTML normalization for scanning pipelines (no active rendering). Radware

  • App/Token audits: inventory ChatGPT↔Gmail connector approvals and scopes; rotate/revoke if anomalous. (Press coverage notes Gmail PoC; pattern extends to other connectors.) The Hacker News

  • Provider-side logs: if/when available, retain agent action logs (“who/what/why” for every tool call). Radware emphasizes action-logging for accountability. Radware

  • Honey-tokens: seed unique strings in VIP mailboxes; alert if those tokens appear on external endpoints (catch “report-style” exfil). (Defensive inference based on service-side exfil limitations.) Radware

Immediate Risk Reduction (Patched, but harden now)

Even with the upstream fix, adopt agent-safety guardrails to defend against future variants:

  1. Treat agents as privileged users: separate read vs act scopes; distinct service accounts; time-bound access. Radware

  2. Sanitize before ingest: strip/flatten HTML, remove invisible styles/obfuscated text before content reaches the agent. Radware

  3. Action logging & review: log every tool call (URL, parameters, provenance); enable approvals for external requests from high-risk workflows. Radware

  4. URL governance for agents: maintain allowlists for agent egress, especially for PII-bearing operations; block unknown domains at the agent layer (not just enterprise proxy). (Radware notes enterprise egress controls won’t see provider-side calls.) Radware

  5. Semantic prompt shields: classical regex filters won’t catch natural-language IPIs—use LLM-based semantic analyzers or policy engines to pre-screen inputs/outputs for risky intent (e.g., “send PII to external URL”). Radware

  6. Connector minimization: grant the fewest connectors/scopes needed; disable Gmail/Drive access for roles that don’t require it. The Hacker News

  7. VIP protections: for execs/HR/finance, prefer read-only agent modes; require human approval for any external URL calls that include sensitive parameters. Radware

Blue-Team Playbook (72-Hour Sprint)

Day 0

  • Confirm OpenAI’s fix is rolled out in your tenant; verify agent action logging/retention where available. (Per reporting, the issue is fixed.) The Record from Recorded Future

  • Inventory who enabled Deep Research + Gmail (and other data connectors). Freeze new connector grants.

Day 1

  • Deploy HTML sanitization in pre-ingest pipelines for content destined to agents (email, docs, tickets). Radware

  • Implement URL allowlist for agent tools; require approval for unsanctioned domains.

  • Add SOAR: on detection of hidden-HTML phish → neutralize HTML (flatten), notify user, and open an IR ticket tagged “LLM-IPI”.

Day 2

  • Rotate ChatGPT↔Gmail OAuth tokens for sensitive users; re-grant minimal scopes.

  • Seed canary strings in VIP mailboxes; watch for appearance in external telemetry (or provider logs, if exposed).

  • Run a tabletop: “malicious hidden email → agent digest → exfil”—verify who can review agent actions.

How ShadowLeak Differs from “Classic” Zero-Clicks

  • Classic (e.g., Pegasus/BLASTPASS): target client OS/app with a memory corruption or parsing bug; compromise device with no user clicks. The Citizen Lab+1

  • ShadowLeak: manipulates an agent’s behavior with hidden natural-language instructions; the provider-side agent perpetrates exfiltration. No local exploit, no render, no user clue. Radware

FAQ (fast answers)

Is this still exploitable?
Public reporting says OpenAI fixed the issue before disclosure. Continue to harden inputs, scopes, and logging to prepare for analogs across other agents/providers. The Record from Recorded Future

Did attackers abuse it in the wild?
Researchers did not observe in-the-wild exploitation at disclosure. The Record from Recorded Future

Only Gmail at risk?
Gmail was the demo because it’s common, but the same pattern can apply to other connectors (Drive/Box/SharePoint/Outlook/Notion/GitHub), as content with hidden prompts can coerce backend actions. The Hacker News

References & Further Reading

  • Radware advisory PDF (mechanics, service-side nature, mitigations). Radware

  • Radware blog deep-dive (step-by-step prompt strategy; Base64 trick; tool naming). Radware

  • The Record: OpenAI fixed ShadowLeak; disclosure timeline; “no in-the-wild” note. The Record from Recorded Future

  • The Hacker News: public summary; connector generalization; tool details. The Hacker News

#CyberDudeBivash #ShadowLeak #ZeroClick #PromptInjection #AI #ChatGPT #DeepResearch #Gmail #AgentSecurity #DataExfil #ThreatIntel

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more