Zero-Click Vulnerability in ChatGPT Agent Exposes Gmail Data
Imagine your inbox spilling secrets without you clicking a single thing. This week Radware disclosed a troubling finding: a zero-click vulnerability in the ChatGPT Deep Research agent that could cause Gmail content to be accessed and revealed while the agent browsed the web. The exploit required no interaction from the account holder, illustrating a new and significant risk as AI agents gain the ability to interact with personal services like email, calendars, and file stores.
What happened: how the exploit works
Radware, a cybersecurity firm, discovered the issue while testing the Deep Research agent’s web-browsing capability while it was authorized to a Gmail account. According to the disclosure, specially crafted web content could coax the agent into retrieving and transmitting sensitive Gmail message data as part of its browsing output. Because the user didn’t need to click anything on the malicious page for data exposure to occur, Radware labeled the flaw a zero-click vulnerability.
To see why this is worrying, consider how modern agents operate. Browsing-capable AI assistants load and parse web pages, follow links, and may run scripts or process embedded content depending on their design. Those capabilities make them powerful helpers, but they also expand the attack surface: any external access a model has can become an exfiltration vector when safeguards are incomplete or misapplied.
Why the zero-click vulnerability matters
This finding matters for several groups:
– Users: Email is assumed to be private and under the control of the account owner. A zero-click path that leaks message content, contacts, or attachments erodes trust and can expose sensitive personal or business information without any user action.
– Engineers: Developers must balance functionality and security. Enabling agents to read emails or other private resources creates complex policy questions — how to scope permissions, how to verify intent for each data access, and how to ensure robust logging and auditing.
– Policymakers: Regulators are trying to shape rules for autonomous systems that combine multiple data streams. Incidents like this highlight the need for standards on consent, transparency, and minimum security obligations when AI agents are granted access to personal data.
– Attackers: Zero-click vectors scale. A single crafted page or campaign could harvest information from many connected accounts without user interaction, making such attacks high-value for malicious actors.
Technical lessons and mitigation strategies
Security teams and product engineers can draw several practical lessons from the Radware report:
– Apply the principle of least privilege: Agents should request and be granted only the minimal scopes needed for a specific task. Avoid broad, persistent access to sensitive services like email.
– Enforce strict output sanitization: Browsing outputs should not include private account data unless there is explicit, auditable authorization for that exact action. Agents should redact or refuse to surface data from private accounts in generic browsing summaries.
– Harden content-origin and execution policies: Limit what web content the agent will fetch, parse, or execute. Treat untrusted pages as hostile by default and reduce or sandbox any dynamic features that could trigger data retrieval.
– Monitor and detect anomalies: Implement layered monitoring for unexpected data flows, unusual agent behavior, and deviations from typical request patterns. Rapid detection reduces dwell time and the scale of any compromise.
– Use time-bound and purpose-limited authorizations: Prefer short-lived tokens and purpose-restricted permissions to long-lived, broad access grants.
Trade-offs: usefulness vs. safety
There are real trade-offs. Restricting agent capabilities can hinder workflows that users value, such as having an assistant read messages and draft replies. Overly conservative defaults reduce convenience and may push users to unsafe workarounds. Conversely, permissive defaults increase risk and potential exposure. Product teams must weigh these trade-offs and be transparent with users about what an agent can access and why.
Regulatory and legal implications
Data-protection frameworks like the EU’s GDPR emphasize data minimization, purpose limitation, and accountability. A string of zero-click incidents would likely trigger calls for prescriptive controls: stronger notice-and-consent mechanisms, mandatory independent audits of agent data flows, and explicit obligations for providers to limit agent privileges by default.
What users and organizations should do now
For individuals:
– Review connected-app permissions in account settings and revoke any agents you don’t actively use.
– Favor time-bound and narrowly scoped authorizations.
– Treat highly sensitive accounts or data as off-limits for autonomous browsing agents.
For organizations:
– Treat agent integrations like any other infrastructure: apply threat modeling, penetration testing, and lifecycle security operations.
– Require logging and auditable consent for any agent access to corporate email or files.
– Establish policies for acceptable agent use and train staff on risks.
Conclusion: designing for privacy while enabling capability
Radware’s disclosure is a timely reminder that the convenience offered by intelligent assistants comes with responsibility. The zero-click vulnerability in the ChatGPT Deep Research agent shows how quickly capabilities like browsing and account access can create novel privacy and security failures. As AI agents become more embedded in daily workflows, designers, engineers, and regulators must ensure that convenience does not continually outpace the safeguards intended to protect people’s private lives. The choices we make now about permissions, defaults, and oversight will determine whether these systems respect inbox boundaries or routinely expose them.




