This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know

News
By published

ChatGPT was vulnerable to prompt injection, too

ChatGPT logo
(Image credit: Getty Images/DeFodi Images News )
  • OpenAI’s new “apps” feature enables ChatGPT to connect with external services like email and storage
  • Radware discovered “ZombieAgent,” a prompt injection flaw allowing hidden commands to exfiltrate or propagate data
  • Exploits include zero-click, one-click, persistence, and worm-like propagation; OpenAI patched it December 16

OpenAI recently introduced a new feature for ChatGPT which, unfortunately, also puts users at risk of data exfiltration and persistent access.

In December 2025, a feature called Connectors finally moved out of beta and into general availability. This feature allows ChatGPT to connect to numerous other apps, such as calendars, cloud storage, email accounts, and similar - gaining more context and thus providing users with better, more relevant responses.

The feature is now called ‘apps’ but, according to security researchers Radware, also opens up the tool to a major vulnerability - prompt injection attacks.

Four methods of abuse

Radware dubbed the vulnerability 'ZombieAgent' and in practice, it’s not that much different from the vulnerabilities we’ve seen in Gemini and other GenAI tools.

Connecting ChatGPT to, Gmail, for example, allows the tool to read incoming emails and give contextual answers about conversations, scheduled calls and meetings, pending invitations, and similar.

However, an incoming email could contain a hidden malicious prompt - something written in white font on a white background, or with font size 0. Invisible to the human eye, but still readable by the machine.

If the victim asks ChatGPT to read that email, the tool could execute those hidden commands without user consent or interaction. The commands could be pretty much anything, from exfiltrating sensitive data to a third-party server, to using the inbox to propagate further.

Radware identified four ways in which ZombieAgent can be abused - a zero-click server-side attack (the malicious prompt is in the email and ChatGPT exfiltrates data before the user even sees the content), one-click server-side attack (the prompt is in a file which the user must first upload), gaining persistence (a malicious command designed to be stored into ChatGPT’s memory), and propagation (the malicious prompt is used to propagate further, like a worm).

Radware said OpenAI fixed the problem on December 16 but did not detail how.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.