Skip to content
Case studies6 min read

ChatGPT Deep Research Gmail Leak: ShadowLeak

ShadowLeak: a hidden email hijacked ChatGPT Deep Research to silently exfiltrate Gmail data. How deny-by-default permissions close the gap.

ShadowLeak was a zero-click indirect prompt injection attack against ChatGPT Deep Research, disclosed by Radware in June 2025, in which a hidden instruction inside a normal email caused the agent to silently exfiltrate a user's Gmail data to an attacker-controlled URL with no user action required. The technique was simple to state and hard to see: an attacker sent an ordinary-looking email containing hidden instructions. When a user later asked Deep Research to work over their Gmail, the agent read the planted email, followed the hidden instructions, encoded inbox data, and sent it to the attacker URL (Radware).

What made ShadowLeak distinct from earlier prompt-injection leaks was where the exfiltration happened. The outbound request did not originate from the user's device or network. It came from OpenAI's own cloud, from the agent's runtime, so local defenses such as endpoint tools, proxies, and corporate egress filters never saw the traffic (The Hacker News). The victim took no action beyond a normal request. No click, no download, no visible prompt.

OpenAI patched the issue around August 2025. Researchers noted that the same class of attack extended beyond Gmail to the agent's other connectors, which widens the attack surface to whatever data sources an agent is wired into (Infosecurity Magazine).

What the ShadowLeak governance gap actually was

Two failures stacked. The first is well known: the agent trusted content it read. A document inside the data it was asked to process carried instructions, and the model treated those instructions as its own. No permission system fixes a model that believes a hostile email.

The second failure is the one a control plane addresses. The Gmail task was able to do two things it had no business doing. It could open an arbitrary outbound URL, and it sat next to connectors for other data sources it never needed for the job. A task scoped to reading a mailbox had an implicit license to reach the open internet and, by extension, to reach whatever else the agent could touch.

This is connector sprawl, and connector sprawl is permission sprawl. Every connector wired into a general agent becomes a path an injected instruction can walk. A Gmail summarization task should not be able to open an attacker URL. It should not be able to read Drive or a code repository either. When the safe action and the dangerous action share the same ambient set of capabilities, a single trusted-content failure becomes a full exfiltration.

How deny-by-default permissions would have changed the outcome

MakerChecker governs agents you build on it, not OpenAI's hosted product, so the mapping here is about how a team running its own connected agent would have closed the gap. The control is deny-by-default capability, scoped to the role that runs the task.

Model the mailbox job as a narrow role. Grant it the one skill it needs to do its work and nothing else. The Drive connector, the code connector, and a general outbound fetch are simply not in the grant set for this role.

role: gmail-summarizer
  grants:
    - skill: connector.gmail.read     @1   tier: low
  # not granted:
  #   connector.drive.read
  #   connector.github.read
  #   net.fetch

Now replay ShadowLeak against that configuration. The injected instruction tells the agent to call connector.drive.read and then net.fetch against the attacker URL. Both skills are ungranted. Under deny-by-default, an ungranted call does not run. It is refused before any side effect, and the refusal is recorded. The agent can still be fooled into wanting to exfiltrate. It cannot reach a tool to do it.

Where a task legitimately needs outbound egress, the answer is not a broad net.fetch. Model egress as its own high-risk skill behind an approval gate, so any outbound send to a destination outside an allowed set requires named human sign-off before it runs. The safe read path stays low-risk and unattended. The consequential, irreversible path routes to a gate.

Least privilege does the structural work here. The Gmail task is confined to Gmail, so even a fully compromised reasoning step cannot pivot to Drive or GitHub. Deny-by-default removes the arbitrary fetch. The approval gate guards any real egress. And the tamper-evident, Ed25519-signed audit chain records the attempted ungranted calls, which matters precisely because the exfiltration in the real incident was invisible to local defenses. The control plane sees the attempt at the point of decision, signs it, and lets you verify the record offline afterward.

What MakerChecker would not have fixed

MakerChecker does not make the model resistant to the injection itself. It cannot stop the agent from believing a hostile email or from forming the intent to leak data. It does not read content and judge whether an instruction is malicious.

It also has no reach inside OpenAI's infrastructure. ShadowLeak was a flaw in a hosted product, and only the vendor's patch closed it there. The mapping in this article applies to agents your own team builds and runs on MakerChecker. For those, the value is containment: when the model is fooled, deny-by-default and least privilege keep the blast radius to the one mailbox the task was scoped to, and the signed audit gives you a record even when the network does not.

See the configuration: examples/rogue-ai/shadowleak-chatgpt-deep-research-gmail-exfiltration

Frequently asked

What was the ShadowLeak vulnerability in ChatGPT Deep Research?
ShadowLeak was a zero-click indirect prompt injection attack disclosed by Radware in June 2025. An attacker planted hidden instructions inside a normal email. When a user asked ChatGPT Deep Research to process their Gmail, the agent read the planted email, followed the instructions, encoded inbox data, and exfiltrated it to an attacker-controlled URL, all without any user action beyond the original request.
Why did standard endpoint and network defenses not catch the ShadowLeak exfiltration?
The outbound request did not originate from the user's device or corporate network. It came from OpenAI's own cloud infrastructure, where the agent runtime executed, so local proxies, endpoint tools, and egress filters never saw the traffic.
How does deny-by-default capability scoping prevent this class of attack?
Deny-by-default means the agent role is granted only the specific skills it needs, such as reading one mailbox, and nothing else. When injected instructions attempt to call an ungranted skill like an outbound fetch or a Drive connector, the call is refused before any side effect occurs and the attempt is recorded. The agent can form the intent to exfiltrate but cannot reach a tool to carry it out.

Where this goes to work

How MakerChecker works — the six primitives

Agents as employees, versioned grants, structural segregation of duties, approval gates, role limits, and a signed audit a regulator verifies offline.

Explore →Book a demo

Related reading

See it for yourself

See an agent get stopped.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Book a demoRead the docs

Designed against the rules your auditors already enforce.