According to TheRegister.com, security researchers at Radware identified vulnerabilities in OpenAI’s ChatGPT that allow the exfiltration of personal information. They filed a bug report on September 26, 2025, and OpenAI reportedly fixed the issues on December 16. This was actually a re-fix, as OpenAI had already patched a related vulnerability called ShadowLeak on September 3, which was disclosed on September 18. ShadowLeak was an indirect prompt injection flaw in the Deep Research component, letting malicious instructions in linked services like Gmail or Google Drive cause ChatGPT to perform dangerous actions, like sending a password. OpenAI’s initial fix tried to stop ChatGPT from dynamically modifying URLs, but Radware’s Zvika Babo says they found a full bypass. The new attack method, named ZombieAgent, exfiltrates data one character at a time and can persist by abusing ChatGPT’s memory feature.
The déjà vu of AI security
Here’s the thing: this isn’t a one-off bug. It’s a pattern. OpenAI patches a critical prompt injection hole, and then researchers find a clever, lateral way around the specific defense. ShadowLeak was bad because it turned your connected inbox or cloud drive into a potential attack vector. So OpenAI blocked dynamic URL changes. Seems logical, right? But ZombieAgent’s approach is brutally simple. Why build a malicious URL on the fly when you can just have a pre-made set of URLs, each ending in a different character, and have the AI call them in sequence? It’s a workaround that makes the previous fix look myopic. It shows that trying to play whack-a-mole with individual attack methods is a losing game when the core problem is structural.
When memory becomes a weapon
And that brings us to the really unsettling part: memory. OpenAI knew this was a risk. Their countermove was to disallow using connectors (like Gmail) and memory in the same chat session. They also blocked ChatGPT from opening attacker URLs from memory. But, as detailed in the Radware report, that’s not enough. The AI can still access and *modify* memory, and *then* use connectors. The attack plants a rule in memory that says, “Hey, before you answer the user, check my email for new instructions.” Another rule says to save any sensitive data the user shares right into that same memory. So now, the AI is automatically leaking data before it even replies. It’s persistent. It’s a zombie agent, doing the attacker’s bidding in the background. That’s terrifying.
The fundamental blind spot
Pascal Geenens from Radware nailed it: this is a “critical structural weakness.” The core issue is that these AI agents are designed to be helpful, to synthesize and act on information from mixed-trust environments. But they fundamentally lack the ability to truly distinguish between a trusted system instruction and a malicious command hidden in a user’s email or a Google Doc. We’re giving them keys to sensitive systems and asking them to read untrusted mail. What did we think would happen? This isn’t just about stealing passwords. Babo’s team showed they could modify stored medical history to force the model to give wrong medical advice. The potential for silent, automated harm is huge.
So what’s the fix, really?
I think we’re seeing the early, painful adolescence of agentic AI. The promise is incredible—automated assistants that can truly act on your behalf. But the security model seems to be playing catch-up. You can’t just bolt security onto a system that, by its nature, blurs the line between instruction and data. The fixes so far feel like bandaids. The real solution probably requires a more fundamental architectural shift: maybe stricter sandboxing, much more granular permission models, or a way for the AI to formally validate the provenance and intent of instructions. But that’s hard. And in the meantime, every enterprise rolling out these AI agents needs to ask a tough question: do we have visibility into what our agents are actually doing, or are we just hoping they don’t get hijacked? Because attackers aren’t hoping. They’re already exploiting that blind spot.
