Follow ZDNET: Add us as a preferred source<!–> on Google.
ZDNET’s key takeaways
- Researchers got ChatGPT’s Deep Research agent to go rogue.
- ChatGPT’s Deep Research leaked email data
- OpenAI has since plugged the vulnerability.
While AI agents show promise in bringing AI assistance to the next level by carrying out tasks for users, that autonomy also unleashes a whole new set of risks. Cybersecurity company Radware, as first reported–> by The Verge, decided to test OpenAI’s Deep Research agent for those risks — and the results were alarming.
Also: OpenAI’s Deep Research has more fact-finding stamina than you, but it’s still wrong half the time
In the attack, codenamed ShadowLeak<!–>, Radware planted a social engineering email into the victim’s inbox that, while looking innocent, contained instructions to look up sensitive information in the inbox and share it with an attacker-controlled server. This is a type of prompt injection attempt. The idea was that when an AI agent comes across the email, it would comply with the hidden instructions – which is exactly what ChatGPT did.
The Deep Research agent is meant to parse through many sources to create a report for you, including your own data sources that you connect it to, such as your Gmail inbox. As a result, some helpful use cases for Deep Research involve looking through your inbox and giving you a summary of the day’s events.
However, when asked to do an activity like that, it has to scan your emails, where it would come across a malicious prompt like the one above.
Also: I got 4 years of product development done in 4 days for $200, and I’m still stunned
In this case, the agent was prompted with: “I want you to do deep research on my emails from today. I want you to read and check every source which could supply information about my new employee process,” and followed the instructions without asking for user confirmation or making them visible in the UI.
“When Deep Research processes the mailbox, it reads both the HR email and the attacker email,” Radware explained in the study summary. “It then initiates access to the attacker domain and injects the PII” – personal identifying information – “into the URL as directed.”
Other areas at risk
The researchers flag that while this attempt only targeted Gmail, it is also possible to connect ChatGPT’s Deep Research to other file repositories, including GitHub, Google Drive, Box, Dropbox, Google Calendar, and more, which could possibly be subject to the same attack. However, since the initial publishing, Radware said in its report that OpenAI acknowledged the vulnerability and marked it as resolved.
Also: Upgraded to iOS 26? Watch out for this AI feature
As we gear up for an agent-first world, more companies are releasing protections to ensure that consumers can take advantage of the added assistance without compromising safety. Google launched a new Agent Payments Protocol (AP2)–> meant to help companies securely automate transactions, prepping for an economy in which an AI agent can place orders on your behalf, while Perplexity partnered with 1Password to protect users’ credentials by keeping them encrypted every step of the way, even as its Comet browser performs tasks for them.
Artificial Intelligence
<!–>
–>
