---
title: ChatGPT’s Best Features Became a Gateway for Data Theft
description: Radware exposes ChatGPT flaws ‘ShadowLeak’ and ‘ZombieAgent’ enabling zero-click data exfiltration via connectors and memory across Gmail, Outlook and GitHub.
author: Darie Nani (Editor-in-Chief)
date: 2026-01-08T20:01:55.000Z
updated: 2026-02-26T18:01:35.457Z
canonical: https://www.sovereignmagazine.com/article/chatgpt-s-best-features-became-a-gateway-for-data-theft
image: https://cdn.nanimediahouse.com/fvxnera8uk0.jpg
categories: Artificial Intelligence
content_type: Analysis
region: United States
publication: Sovereign Magazine
about:
  - type: Organization
    name: OpenAI
---

In September 2025, researchers at Radware identified two vulnerabilities in ChatGPT that allowed attackers to extract sensitive data from Gmail, Outlook, and GitHub without any user interaction. Named **ShadowLeak** and **ZombieAgent**, these flaws exploited ChatGPT’s Connectors and Memory features. These tools were designed to improve productivity by integrating AI with everyday applications. The vulnerabilities demonstrated how features intended to simplify workflows could instead create new opportunities for data theft.

## The Trade-Off Between Convenience and Security

ChatGPT’s Connectors and Memory features were created to make digital tasks easier. Connectors allow the AI to interact directly with services like Google Drive, Jira, Teams, and GitHub. This enables users to summarise emails, update tickets, or search repositories without switching applications. Memory, enabled by default, stores conversation history and user preferences to provide personalised responses. Together, these features turn ChatGPT into a central hub for managing digital workflows.

This integration, however, introduces risks. By connecting ChatGPT to multiple services, users create a single point of failure. If the AI is compromised, attackers gain access to all linked systems. Radware’s research showed how features meant to enhance productivity could also expose users to significant security threats. A recent report revealed that [gaps in AI threat awareness](https://www.sovereignmagazine.com/article/gap-in-ai-threat-awareness-leaves-business-teams-open-to-attack-report-warns) leave business teams particularly vulnerable to such attacks.

## How Attackers Exploited ChatGPT’s Design

The ShadowLeak vulnerability revealed a critical flaw in ChatGPT’s ability to distinguish between legitimate and malicious instructions. Attackers embedded hidden prompts in emails or documents using techniques like white text, tiny fonts, or footers. When ChatGPT processed these files, for example to summarise an email or analyse a document, it executed the attacker’s commands without the user’s knowledge.

In the zero-click variant, the attack occurred entirely on OpenAI’s servers. ChatGPT would scan an inbox for routine tasks, such as summarising emails, and inadvertently trigger the payload. The AI then leaked data through pre-built static URLs, bypassing dynamic URL restrictions. For example, it normalised sensitive strings like “Zvika Doe” to “zvikadoe” and sequentially opened links such as `compliance.hr-service.net/get-public-joke/z`. This method evaded client-side defences, browsers, and user visibility. These techniques mirror broader trends in [AI-powered phishing attacks](https://www.sovereignmagazine.com/article/google-s-defence-architects-launch-aegisai-ai-native-email-security-as-phishing-attacks-quadr), which have quadrupled in effectiveness.

The one-click version required minimal user interaction, such as uploading a tainted file, but enabled chained attacks on connected repositories or drives. The **ZombieAgent** vulnerability introduced persistence. Attackers injected memory-altering rules that forced ChatGPT to leak data from every subsequent conversation. Even new chats became compromised as the AI’s memory retained the malicious instructions.

Propagation added another risk. Attackers harvested email addresses from inboxes and auto-forwarded payloads to contacts. This turned a single breach into an organisational outbreak. Radware’s findings highlighted how AI’s autonomy and memory could be weaponised to create self-sustaining attacks.

## The Challenge of Securing Agentic AI

The vulnerabilities in ChatGPT are part of a broader challenge: securing **agentic AI** systems that operate autonomously across multiple applications. Unlike traditional software, agentic AI can perform tasks without constant human oversight. This makes it a prime target for attackers. Its ability to retain memory and interact with external systems expands the attack surface in ways that conventional security measures struggle to address. Understanding [what AI cybersecurity looks like](https://www.sovereignmagazine.com/article/what-ai-cybersecurity-really-looks-like-on-the-ground-for-us-businesses) on the ground for businesses is essential to addressing these challenges.

Research from Palo Alto Networks and Rippling shows that indirect prompt injection and memory poisoning are becoming dominant threats in AI security. Attackers manipulate an AI’s memory to execute long-term data exfiltration. They encode stolen information in seemingly innocuous requests to remote servers. These attacks are difficult to detect because they exploit the AI’s core functionality. Specifically, they take advantage of its ability to learn and adapt, rather than a traditional software flaw.

OpenAI responded quickly to the vulnerabilities, patching ShadowLeak on 3 September 2025 and implementing broader fixes by 16 December 2025. The company enhanced prompt filtering and restricted the AI’s ability to modify URLs dynamically. This closed the loophole that allowed static URL-based exfiltration. However, the discovery of ZombieAgent in early 2026 proved that securing AI systems is an ongoing battle.

The fundamental challenge lies in AI’s nature. Unlike traditional software, AI systems interpret and generate responses based on vast datasets. This makes it difficult to predict or prevent all possible attack vectors. OpenAI’s [guide to hardening against prompt injection](https://openai.com/index/hardening-atlas-against-prompt-injection/) describes this as a “long-term challenge.” While measures like automated red-teaming and rapid response loops can mitigate risks, eliminating them entirely may not be possible.

Industry leaders are calling for a new approach to AI security. AWS’s [Agentic AI Security Scoping Matrix](https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/) recommends governance frameworks to limit data exfiltration and lateral movement. Rippling’s [research on output verification](https://www.rippling.com/blog/agentic-ai-security) advocates for safety policies that verify AI outputs. These measures reflect a growing recognition that AI security must evolve alongside the technology, as [warnings about AI advancements threatening cybersecurity](https://www.sovereignmagazine.com/article/uk-warns-of-ai-advancements-threatening-global-cybersecurity-systems) continue to emerge from governments worldwide.

## Lessons for Users and Developers

The ShadowLeak and ZombieAgent vulnerabilities serve as a reminder that AI tools, while powerful, are not without risks. As AI systems become more deeply embedded in workflows, the potential for abuse grows. Users and organisations must take steps to protect themselves.

For users, vigilance is critical. Organisations should monitor AI agent behaviours, sanitise inputs, and implement robust access controls. Individuals must scrutinise the permissions granted to AI tools and remain cautious about the data they share. Radware’s research shows that even seemingly harmless features can become vectors for attack. The [escalating risks of AI systems](https://www.sovereignmagazine.com/article/ai-systems-generate-misinformation-experts-warn-of-escalating-risks) require constant attention from business leaders and technical teams alike.

For developers and providers, security must be a priority from the outset. Features like Memory and Connectors must be designed with safeguards that account for their expanded attack surface. [Tenable’s research on AI vulnerabilities](https://www.tenable.com/blog/hackedgpt-novel-ai-vulnerabilities-open-the-door-for-private-data-leakage) highlights the need to harden AI systems against indirect prompt injections and memory tampering.

The future of AI depends on balancing utility with security. Without proper safeguards, AI tools could become a liability. Convenience must not come at the cost of privacy and security. The responsibility lies with both users and developers to ensure that it does not.

## Further Context

**Q: What are agentic AI systems, and why are they particularly vulnerable to security threats?**
Agentic AI systems are autonomous AI tools designed to perform tasks across multiple applications without constant human oversight. They are particularly vulnerable to security threats because they:

These characteristics make agentic AI a prime target for attackers seeking to exploit autonomy, memory, and integration capabilities for data theft or other malicious activities.

**Q: How do indirect prompt injection attacks work, and what makes them hard to detect?**
Indirect prompt injection attacks manipulate AI systems by embedding hidden instructions in seemingly innocuous inputs, such as emails, documents, or web content. These attacks work by:

They are hard to detect because:

**Q: What is memory poisoning in AI systems, and how can it lead to long-term data leaks?**
Memory poisoning is a type of attack where malicious actors manipulate an AI’s memory—its stored data, preferences, or past interactions—to execute unauthorised actions. This can lead to long-term data leaks in several ways:

For example, an attacker could alter an AI’s memory to forward all summarised emails to an external server, creating a self-propagating breach that persists until the memory is purged or corrected.

**Q: What steps can organisations take to secure AI integrations like connectors and memory features?**
Organisations can mitigate risks associated with AI integrations by implementing the following measures:

These steps help balance the convenience of AI integrations with the need to protect sensitive data and systems.

**Q: How do AI data exfiltration methods differ from traditional cyberattack techniques?**
AI data exfiltration methods exploit the unique capabilities of AI systems, setting them apart from traditional cyberattack techniques in several ways:

Unlike traditional attacks, which often rely on exploiting software flaws or tricking users into clicking malicious links, AI data exfiltration methods manipulate the AI’s decision-making processes, making them harder to detect and prevent.
