Infosecurity Magazine — ZombieAgent zero-click prompt injection in ChatGPT connectors
AI relevance: ZombieAgent targets ChatGPT’s agentic connectors (Gmail/Drive/GitHub, etc.), showing how indirect prompt injection can silently extract data from AI systems that operate across user SaaS accounts.
- ZombieAgent is a zero-click indirect prompt-injection technique reported by Radware that abuses ChatGPT’s connector workflows to exfiltrate data from linked services.
- The attack uses pre-built static URLs (one per character) so the model never “constructs” a URL — bypassing OpenAI’s URL-modification safeguards.
- Exfiltration can occur server-side inside OpenAI’s cloud, which means local endpoint and network defenses may never see the data movement.
- The report claims a persistence step: attackers can implant rules in the agent’s long-term memory to keep leaking future conversations.
- Radware demonstrated both zero-click and one-click variants by embedding hidden instructions in email content that the agent later reads.
- The technique includes a propagation path to spread across contacts, raising the risk of worm-like campaigns inside organizations.
- Radware disclosed the issue in September 2025; OpenAI shipped mitigations in mid-December, but the report shows a new bypass.
Why it matters
- Connector-based agents blur the boundary between “chat” and automated access to live SaaS data — exactly where prompt injection becomes real data loss.
- URL rewriting, allowlists, and UI warnings are insufficient on their own if attackers can encode exfiltration into static link sets.
- The persistence angle means incidents may not be one-off leaks — they can become continuous exfiltration pipelines if memory is compromised.
What to do
- Re-audit connector permissions and remove any that aren’t essential for each agent workflow.
- Disable or restrict auto-browse/auto-open behaviors for connectors; require explicit user confirmation for link fetches.
- Monitor for high-volume or patterned outbound link opens (e.g., sequential “a0/a1/a2…” URLs) that signal character-by-character exfiltration.
- Periodically reset/clear long-term agent memory and log memory changes in production deployments.