Researchers at Radware have revived a data-exfiltration attack against ChatGPT, illustrating a recurring cycle in AI security: a vulnerability is found, the vendor adds a narrow guardrail, and a small tweak brings the attack back. The new variant, dubbed ZombieAgent, resurrects the firm's earlier ShadowLeak technique, which OpenAI had blocked after it was disclosed last September.

The original ShadowLeak targeted Deep Research, a ChatGPT-integrated agent, and quietly exfiltrated a user's private information — with extra stealth because data left directly from ChatGPT's servers, leaving no trace on the victim's machine. It also planted entries in the assistant's long-term memory for persistence. To stop it, OpenAI restricted ChatGPT to open URLs exactly as provided and refuse to append parameters.

Radware's bypass was simple. Instead of building a URL with appended parameters, ZombieAgent supplied a complete list of pre-built links — one per character, such as example.com/a through example.com/z and example.com/0 through example.com/9 — and instructed the agent to substitute a token for spaces. Because OpenAI had not blocked appending a single letter to a URL, the agent could leak the stolen data one character at a time, and again stored the bypass logic in long-term memory.

The root cause, the researchers stress, is indirect prompt injection: large language models cannot reliably tell legitimate user instructions apart from commands hidden inside emails or documents that anyone can send. As long as that boundary is missing, vendors are forced to react to specific techniques rather than close the underlying class of vulnerability — which is why each fix tends to invite the next bypass.