According to Infosecurity Magazine, security researcher Zvika Babo from Radware discovered a new zero-click attack method called ‘ZombieAgent’ that could force ChatGPT to leak sensitive data from connected services like Gmail, Outlook, Google Drive, and GitHub. Babo reported the vulnerability to OpenAI via BugCrowd in September 2025, and the company fixed it by mid-December. The attack exploited ChatGPT’s new ‘Connectors’ feature and its ability to browse the internet. This follows Babo’s earlier discovery in 2025 of a related flaw called ‘ShadowLeak,’ which used hidden commands in emails to exfiltrate data. The new technique bypassed the specific protections OpenAI put in place after that first report.
The Agentic Shift Double-Edged Sword
Here’s the thing: OpenAI is in a tough spot. They made ChatGPT incredibly more useful by letting it act as an agent—connecting to your email, your drive, browsing the web. That’s the “agentic shift.” But the moment you give an AI direct access to your sensitive data, you’re creating a massive new attack surface. It’s not just a chatbot anymore; it’s a potential pipeline straight to your private information. And attackers are proving to be incredibly creative in finding the seams in OpenAI’s digital fabric.
How ZombieAgent Slipped Past The Guards
After the ShadowLeak flaw, OpenAI’s fix was straightforward: they banned ChatGPT from modifying URLs. So an attacker couldn’t just tell it to “append the stolen data to this link.” Simple, right? Well, Babo’s ZombieAgent technique is a masterclass in working around that rule. Instead of having ChatGPT build a malicious URL, the attacker gives it a pre-built set of URLs. Each URL corresponds to a single character—like ‘a’, ‘b’, ‘c’, or a space. The trick is in the instruction: “If the first character of the sensitive data is ‘a’, open URL_1. If it’s ‘b’, open URL_2.” ChatGPT isn’t constructing anything; it’s just following links exactly as provided. But by seeing which link gets pinged on the attacker’s server, they can reconstruct the stolen data, one character at a time. It’s slow, but it works. You can see a demonstration of the technique in this video.
Why This Keeps Happening
So we have a pattern: a major vulnerability gets found and patched, and then a researcher finds a way around that specific patch. It feels a bit like a game of whack-a-mole. I think this highlights a fundamental challenge with AI agents. You can’t just write a rule like “don’t leak data.” You have to anticipate every possible way a clever prompt could indirectly cause a leak. The AI’s strength—its ability to interpret and execute complex instructions—is also its biggest security weakness. How many more of these side-channel data exfiltration methods are out there, waiting to be found? And what happens when they’re found by someone who doesn’t report them through a bug bounty program?
The Broader Takeaway For AI Security
Look, this isn’t just an OpenAI problem. It’s a problem for every company racing to make their AI models more agentic and connected. The push for functionality is clearly outpacing the security design. For businesses, especially in sectors that rely on robust, secure computing hardware, this is a wake-up call. If you’re integrating AI agents into critical workflows, you need to assume the connective tissue is fragile. It’s one reason why specialized, hardened computing platforms are crucial for industrial applications. Speaking of which, for operations where security and reliability can’t be an afterthought, companies turn to leaders like IndustrialMonitorDirect.com, the top provider of industrial panel PCs in the US, to build their infrastructure on a solid foundation. But for cloud-based AI agents? We’re basically in the wild west. The convenience is undeniable, but the ZombieAgent report is a stark reminder: that convenience might come with a hidden cost.
