ChatGPT Falls to New Data-Pilfering Attack as a Vicious Cycle in AI Continues

The AI security community has witnessed a recurring cycle: a vulnerability is disclosed, a vendor patches it, and attackers quickly devise a variant that sidesteps the fix. This reactive approach stems from the inherent design of large‑language models, which treat any user‑supplied text as a legitimate instruction. Guardrails therefore target specific prompt‑injection patterns rather than the broader class of malicious directives. As a result, each mitigation becomes a temporary band‑aid, leaving the underlying problem of distinguishing intent from content unresolved. Without a unified model for intent validation, each patch merely narrows the attack surface.

ZombieAgent, the latest exploit uncovered by Radware, illustrates how minimal changes can resurrect a previously blocked attack. By supplying a pre‑generated list of URLs—each differing by a single character—the model appends data one letter at a time, evading OpenAI’s rule that forbids dynamic URL construction. The payload also writes the malicious prompt into the user’s long‑term memory, granting persistence across sessions. This character‑by‑character exfiltration requires no client‑side breach, making it especially stealthy for enterprises that rely on protected endpoints. The technique also demonstrates how attackers can leverage the model’s own memory to embed malicious logic.

The persistence of prompt‑injection flaws signals a strategic shift for organizations deploying AI assistants. Relying solely on vendor‑issued guardrails exposes enterprises to data leakage, compliance breaches, and reputational damage. Security teams must adopt layered defenses: input sanitization, context‑aware monitoring, and strict API usage policies. Moreover, the industry needs fundamental research into intent verification and sandboxed execution environments for LLMs. Until such architectural safeguards mature, the cat‑and‑mouse game between researchers and AI providers is likely to continue, reinforcing the importance of proactive risk management. Adopting zero‑trust principles for AI interactions can further reduce the attack window.