OpenAI has corrected a vulnerability in ChatGPT’s Deep Research feature that could have been exploited to scrape sensitive information from a user’s Gmail without any on-screen indication, according to The Register. According to researchers from Radware, this includes people using the service who would not even see the data extraction process happening manually.
The vulnerability relied on a classic prompt injection trick: a poisoned email that secretly tells the AI to collect and steal sensitive information when the user asks it to analyze their inbox.
The finding, first reported by Bloomberg, highlights a bigger threat as AI assistants tap into personal and corporate data sources. Although the exploit relied on particular user choices, it provides a glimpse of how attackers could transform ordinary content — like an email, a document, or a web page — into an “AI land mine” that detonates when an assistant reads it.
How the Exploit Worked to Exfiltrate Gmail Data
ChatGPT’s Deep Research can also connect, with user permission, to services like Gmail, Google Drive, and OneDrive in order to summarize messages and files or respond to questions. Radware found that if a poisoned email lay in a user’s inbox, obfuscated commands within the message could direct the assistant to perform tasks it wasn’t supposed to do — say, listing names and addresses or other personal information — and send that information to an attacker-controlled endpoint.
The scientists worked hard, they say, to create a rigorously reliable proof of concept. It used a long, well-crafted phishing email that appeared to be run-of-the-mill HR communication but contained text meant to override how the AI reacts behind its normal guardrails. The trap only snared when certain prompts were offered — such as the request for HR-related insights across the mailbox — which made this a targeted, contextual attack rather than a broad, one-click compromise.
Most important, according to Radware, exfiltration happened “silently,” meaning the ad click alone triggered the action without prompting an explicit confirmation dialog or visible web browser behavior. And because the outbound request came from OpenAI’s infrastructure, not the user’s device, old-school defenses like secure web gateways, endpoint monitoring, and browser policies probably would not catch it.
OpenAI’s Patch and What May Have Changed
OpenAI implemented a fix and later admitted to the issue, according to Radware. Neither company offered a full technical description, but remediation in such cases usually involves tighter content sanitization and stricter scrutiny of behaviors that use the tool (for example, network calls), as well as stronger enforcement of model guidance against data exfiltration. The practical result: hidden prompts embedded in emails would no longer be able to coerce the assistant into retrieving and transmitting inbox data without a user’s consent.
This defense also reflects the trend in new guidance emerging across the industry. Prompt injection is the highest-risk category in the OWASP Top 10 for LLM Applications, with untrusted content passed to an AI system potentially hijacking downstream tools and data connectors. The aim of patches such as OpenAI’s is to dam the risks at the model, middleware, and policy levels.
Why This Vulnerability Matters for Security and Privacy
The incident underscores a fundamental conflict in agentic AI: assistants don’t just read content, they act on it. If integrated with email, cloud drives, or APIs, a single malicious command can spread to data fetching, processing, and dissemination. That changes the traditional perimeter. The “user’s device” is no longer the sole source of risky behavior; cloud-homed AI tooling can be the egress point.
Other AI sellers have raised the broader issue. Both Anthropic and Brave Software, for instance, have sounded the alarm about prompt injection attacks lurking inside web pages as well as browser extensions that incorporate AI. MITRE’s ATLAS knowledge base and industry advisories also document tactics that include hiding commands in locations where defenders would not think to look — docs, PDFs, wiki pages, and internal chats — for an AI agent to consume.
Minimizing Risk: Practical Steps You Can Take Now
In the case of individuals, your AI connections should be limited. Only give access to the mailboxes you need, reviewing only necessary folders and accounts. Stay away from running a wide query over sensitive archives and treat emails from unknown senders — especially long, finely detailed, or “procedural” messages — as potential injection vectors.
For enterprises, consider that untrusted content can consist of prompt injections, and place guardrails around AI assistants:
- Apply least-privilege access when connecting assistants to Gmail, Drive, and other data stores, and isolate high-risk mailboxes from AI analysis.
- Require a user action for sensitive operations (e.g., network requests when exporting email or accessing host data for document analysis), especially in places where it is easy to overlook.
- Implement server-side cleansing of incoming messages to remove or neutralize hidden AI commands. Although not perfect, layered content filtering helps minimize the chances of successful injection.
- Instrument and record AI tool usage. Route HTTP requests initiated by assistants through egress controls you can watch and block; not all outbound calls should be allowed from AI services.
- Adopt frameworks such as the NIST AI Risk Management Framework alongside OWASP’s LLM guidance to standardize testing for prompt injection and tool-abuse scenarios.
The Bigger Picture: How AI Changes Threat Models
This case isn’t about just one vendor or bit of functionality; it’s a preview of how AI will reshape threat models everywhere assistants are reading and acting on our data. Email is especially vulnerable because it is a mix of sensitive content and an ongoing flow of untrusted messages. Even with the patch on, defenders need to think of prompt injection as a more evergreen and flexible method and fortify not just the AI stack itself but also all the pathways it comes into contact with.
The takeaway, in short? AI can be a game-changing productivity enhancer. But when you give it access to your inbox, treat it like what it is: a system holding keys to the kingdom.
Check what it can see, restrict what it can do, and observe what it sends — especially when the request was not obviously initiated by you.