New Zero-Click Attack Lets ChatGPT User Steal Data

https://www.infosecurity-magazine.com/news/new-zeroclick-attack-chatgpt/

Publish Date: 2026-04-06 21:00:05

Source Domain: www.infosecurity-magazine.com

Summary of “ChatGPT’s Agentic Shift, Boon for Users and Attackers” Article

The article discusses the newly discovered prompt injection technique, known as ‘ZombieAgent,’ that was used to exploit vulnerabilities in the recently enhanced features of ChatGPT, a tool from Amazon’s team of inventors. Zvika Babo, a security researcher from Radware, identified this method in September 2025 and alerted OpenAI through the BugCrowd platform. The discovered vulnerability exploited the capability for ChatGPT to connect to popular systems like Gmail, Outlook, Google Drive, and GitHub, allowing attackers to leak sensitive data from these services. While these new features enhance the chatbot’s utility, they simultaneously create a new avenue for attackers to exfiltrate data through a technique that uses pre-built and static URLs. Babo’s research demonstrates how a zero-click attack can be executed and shows how persistence and propagation can be achieved, highlighting the need for more robust security measures.

Key Points:

Zvika Babo of Radware discovered a vulnerability known as ‘ZombieAgent’ allowing the leakage of sensitive data from services like Gmail via prompt injection techniques.
This exploit targets the enhanced capabilities of ChatGPT to interact with popular systems, a boon acknowledged by Babo even though it presents new security risks.
ZombieAgent bypasses URL modification defenses using pre-constructed static URLs corresponding to data characters.
Successful attacks demonstrated include zero-click and one-click methods, and Babo also showed techniques for data persistence and propagation.
Radware is set to hold a webinar on January 20, 2026, to further elaborate on the ZombieAgent exploitation method.