What happens when the tools we trust to speed our work can quietly become the means by which our data walks out the door? That is the dilemma researchers say they now face as prompt-injection attacks evolve to exploit the new “agentic” features of large-language-model assistants — autonomous behaviors that let an AI act on a user’s behalf across apps and services.
Radware researchers have reported a novel class of prompt-injection exploits that target those agentic capabilities in ChatGPT-style assistants, demonstrating ways an attacker can feed adversarial instructions into the agent’s context so it performs actions that leak data or interact with connected services without explicit, informed user consent. The discovery underscores a widening gap between convenience and control as assistants gain autonomy.
Background: prompt injection and the rise of agentic features
Prompt injection is not new: it refers to adversarial inputs embedded in otherwise legitimate content that trick an LLM into following attacker-crafted instructions. Historically, such attacks required user interaction or relied on the model responding to malicious text placed directly in a prompt or webpage. The recent shift is the agentic model: assistants that are permitted to follow links, open documents, query calendars, access connected cloud storage or APIs, and take multi-step actions on behalf of users.
That combination — content that can be read by an assistant plus permissioned actions the assistant can take — creates attack patterns where a single implicit event (opening a message, clicking a link, or allowing an agent to “browse”) is sufficient to trigger data exposure. Security researchers have shown similar vectors in other agentic systems, where a crafted link or shared file contains instructions that the agent treats as authoritative contextual input and then acts upon, amplifying a one-click path into cross-service data exfiltration.
What Radware’s finding adds
According to the reporting and disclosures that followed Radware’s work, the novel element is how prompt injection can be combined with agentic flows inside ChatGPT-like assistants to produce “zero-click” or effectively zero-consent data leaks. An attacker can craft inputs that the agent ingests as contextual instructions and then use the agent’s own connectors and automation to collect or forward information from emails, calendars, cloud storage, or other integrated services — often without the user realizing a specific operation was executed.
Why this matters — four angles
- Technologists: The vulnerability is architectural as much as it is implementation-level. Agents that blur the boundary between “reading content” and “taking action” require new signal separation and robust intent-verification when executing tasks across accounts and services. Existing safeguards — static prompt filters or coarse permission prompts — are often insufficient against subtle contextual poisoning.
- Policymakers and regulators: The risk touches data privacy, consumer protection, and incident reporting regimes. If an assistant autonomously accesses or transmits data across services based on contextual instructions, regulators will need to clarify expectations for consent, transparency, and controls that ensure users retain meaningful oversight of automated actions.
- Users and organizations: Everyday conveniences — letting an assistant summarize email, build a schedule, or open links — can turn into avenues for compromise. For organizations, the attack surface now includes shared workflows (calendars, collaborative documents, intranet pages) where a malicious actor who can inject content may reach beyond a single endpoint and into multiple data stores.
- Adversaries: The technique lowers the cost of data collection and scaling of social-engineering campaigns. Low-effort content manipulation (a doctored invite, a public page with embedded instructions, or a shortened link) can leverage the agent’s privileges to do the heavy lifting.
What defenders can do now
- Design for separation of control and content: Treat web or document content as untrusted input and separate it from a protected control channel that contains action directives the agent may follow.
- Deploy intent gating and multi-factor action approval: Require explicit, contextual confirmations for actions that access or transmit sensitive data, and annotate those confirmations with clear human-readable rationale for the action.
- Sanitize and label context sources: Flag or strip likely adversarial constructs in content that an agent ingests, and track provenance so the agent can weigh the trustworthiness of each input before acting.
- Limit cross-service blast radius: Reduce default agent permissions and prefer scoped, short-lived tokens rather than broad, persistent access to email, files, or calendars.
- Audit and telemetry: Log agent actions in an auditable way and alert on unusual sequences that indicate automated data aggregation or unexpected forwarding.
Perspectives and trade-offs
Proponents of agentic assistants point out the productivity gains: agents can automate routine work, integrate data across services, and free knowledge workers to focus on higher-order tasks. Security teams counter that autonomy without strong oversight changes the threat model fundamentally. Policymakers face the job of balancing innovation with protections that preserve user agency and privacy. Meanwhile, product teams must weigh user experience against friction: adding too many confirmations negates the convenience agents promise, yet adding too few invites abuse.
Radware’s research and related reports also illustrate an uncomfortable truth for defenders: many attack scenarios are low-cost and exploit normal behaviors. That makes purely technical fixes insufficient; user education, clearer transparency about what agents can and will do, and stronger defaults are all necessary complements.
Conclusion
The agents are learning to act; the question now is whether we design the guardrails as thoughtfully as we design the capabilities. If a single embedded instruction can turn an assistant into an unwitting courier for sensitive data, the industry must decide whether to accept that risk in the name of convenience or to demand architectures that embed consent, provenance and intent verification at their core. Which future will prevail — one where agents do more and users understand and control those actions, or one where convenience quietly erodes control?
Source: https://www.infosecurity-magazine.com/news/new-zeroclick-attack-chatgpt/




