Illustration of a zero-click data exfiltration attack on ChatGPT’s Deep Research agent exploiting hidden prompts in Gmail emails to steal sensitive user information.

A zero-click vulnerability in ChatGPT’s Deep Research agent allowed attackers to steal sensitive data from users’ Gmail accounts without any interaction. The flaw exploited hidden malicious prompts embedded in emails, tricking the agent into extracting and sending personal information to attacker-controlled servers from OpenAI’s cloud.

Illustration of a zero-click data exfiltration attack on ChatGPT’s Deep Research agent exploiting hidden prompts in Gmail emails to steal sensitive user information.Illustration of a zero-click data exfiltration attack on ChatGPT’s Deep Research agent exploiting hidden prompts in Gmail emails to steal sensitive user information.

This service-side attack bypassed traditional security measures since the data exfiltration happened within OpenAI’s infrastructure, leaving users unaware. The vulnerability could affect any text-based data source the agent accesses, such as documents, calendars, or messaging platforms.

Illustration of a zero-click data exfiltration attack on ChatGPT’s Deep Research agent exploiting hidden prompts in Gmail emails to steal sensitive user information.Illustration of a zero-click data exfiltration attack on ChatGPT’s Deep Research agent exploiting hidden prompts in Gmail emails to steal sensitive user information.

Reported in June 2025, OpenAI patched the issue by early August and resolved it by September, emphasizing the need for continuous monitoring to detect malicious prompt manipulation.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security