Overview
- Radware detailed ZombieAgent, a prompt‑injection method that exfiltrates data one character at a time using attacker‑supplied static URLs.
- The technique enables server‑side leakage from connected services such as Gmail, Outlook, Google Drive, and GitHub without signs on user devices.
- Researchers showed persistence by abusing ChatGPT’s long‑term memory to store bypass logic that is later read and executed.
- OpenAI responded by restricting the agent from opening links originating from emails unless they appear in a well‑known public index or were provided directly by the user, and by tightening connector and memory behaviors.
- Radware’s Zvika Babo and Pascal Geenens said the recurring exploit‑and‑patch cycle persists because LLMs cannot reliably separate trusted instructions from directives embedded in untrusted content.