(Photo Illustration by Jaque Silva/NurPhoto via Getty Images)
Don't miss out on our latest stories. Add PCMag as a preferred source on Google.
OpenAI has patched a flaw that could have allowed hackers to manipulate ChatGPT into leaking private information from a victim’s Gmail inbox.
Cybersecurity vendor Radware discovered and reported the vulnerability, according to Bloomberg. The problem involved ChatGPT’s "deep research" function, which can handle more complex tasks, including browsing the web and analyzing messages and files in your inbox.
(Credit: OpenAI)With your permission, deep research can connect to Gmail, Google Drive, Microsoft’s OneDrive, and a variety of other apps. The vulnerability arises if a user asks ChatGPT to perform a deep research-related query on their Gmail inbox. Radware found ChatGPT could be manipulated into scanning and leaking the user’s private information if it encounters a hacker-written email containing secret instructions to tamper with the chatbot.
The proof-of-concept attack wasn’t easy to develop and execute. Radware said, “This process was a rollercoaster of failed attempts, frustrating roadblocks, and, finally, a breakthrough,” which involved creating a lengthy, specially crafted phishing email that pretends to talk about the company’s HR processes. But in reality, the email is designed to dupe ChatGPT into executing the malicious instructions by extracting relevant names and addresses from the user’s inbox and sending them to the hacker.
Still, triggering the attack is dependent on the user running ChatGPT’s deep research on their Gmail inbox for insights related to HR. As a result, the threat acts more like a digital landmine that can only be activated under certain circumstances. But if it’s triggered, ChatGPT will gather the sensitive information and send it to a hacker-controlled web page, “without user confirmation and without rendering anything in the UI (user interface),” Radware says.
The same attack is also hard for cybersecurity tools to detect and stop. “Traditional enterprise defenses—such as secure web gateway, endpoint monitoring, or browser security policies—cannot see or intercept the exfiltration, because it originates from OpenAI’s own infrastructure rather than the user’s device or browser session,” Radware adds.
In response to the findings, OpenAI told PCMag: "It’s very important to us that we develop our models safely. We take steps to reduce the risk of malicious use, and we’re continually improving safeguards to make our models more robust against exploits like prompt injections. Researchers often test these systems in adversarial ways, and we welcome their research as it helps us improve.”
According to Radware, OpenAI patched the flaw in August before acknowledging it in September.
The findings highlight the persistent threat of hackers planting hidden instructions in web content to manipulate chatbots into executing malicious actions. Last month, both Anthropic and Brave Software warned about the threat potentially affecting AI-powered browsers and browser extensions.
Radware's research shows that the danger can also affect email inboxes that feature an AI integration. To fend off the threat, the company says safeguards could include "sanitizing" emails to try and rid the hidden AI instructions, along with better monitoring of chatbot actions.
Disclosure: Ziff Davis, PCMag's parent company, filed a lawsuit against OpenAI in April 2025, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.