Researchers have found a new way to steal private information from ChatGPT users. The attack works even after OpenAI added protections against an earlier threat. According to Ars Technica, security firm Radware calls the new method ZombieAgent. It sends stolen data directly from ChatGPT servers. This means user devices show no signs of a breach.
How the Attack Works
The problem began with ShadowLeak, an earlier attack Radware disclosed last September. It targeted Deep Research, an AI agent built into ChatGPT. The attack tricked the AI into opening special web links. Those links carried stolen user data in their address strings.
OpenAI fixed that problem by blocking ChatGPT from adding extra information to web addresses. The AI could only open links exactly as written. But Radware found a simple workaround.
Letter-by-Letter Data Theft
ZombieAgent gets around the fix by providing a complete list of pre-made web addresses. Each address includes a single letter or number. For example, one link ends in /a, another in /b, and so on through the alphabet and digits 0 through 9. The attack tells the AI to open these links one at a time. Each click sends one character of stolen data to a website log.
The attack can also store its instructions in ChatGPT’s long-term memory for each user. This makes it persist across multiple sessions.
Root Cause Remains Unfixed
The real issue is prompt injection. Large language models cannot tell the difference between valid commands from users and fake instructions hidden in emails or documents. When a user asks the AI to read an email, the model treats any commands in that message as real.
OpenAI has now blocked ZombieAgent by stopping ChatGPT from opening links in emails unless they appear in public indexes or come directly from users in chat. But this fix only stops one specific method. It does not solve the broader problem.
Pascal Geenens from Radware wrote that guardrails are quick fixes, not real solutions. As long as AI models cannot distinguish instruction sources, prompt injection attacks will continue. The pattern repeats: researchers find a flaw, companies patch it, and attackers adapt with small changes.
