ChatGPT page summarization flaw lets attackers turn any site into a

ChatGPT’s browser‑based summarization feature can be hijacked to serve phishing content, allowing any publicly accessible web page to become a delivery vector for malicious links, fake security alerts and QR‑code pivots [1]. The technique, dubbed “ChatGPhish” by Permiso researcher Andi Ahmeti, exploits the model’s inability to separate its own output from attacker‑controlled page content [2].

Key takeaways

• Prompt injection on summarized pages can render attacker‑controlled Markdown links inside the ChatGPT UI [2]
• Demonstrations included fake security alerts and QR codes that direct users to attacker‑owned sites [3]
• OpenAI initially marked the report as “not reproducible” before classifying it as a duplicate of an earlier issue [2]
• Mitigations advise avoiding AI summarization of untrusted pages and treating any rendered link or image as potentially malicious [2]

How the attack works

Permiso’s researcher showed that by appending a small instruction payload to any public web page, an unauthenticated attacker can influence the text that ChatGPT returns when a user asks it to summarize that page [2]. Because the ChatGPT response renderer trusts Markdown links and images sourced from the summarized content, the injected payload appears as native UI elements—clickable links, styled alerts, or inline QR‑code images—without any origin label [2]. In the first scenario, the model displays a fabricated “account security” notification that includes a link to a malicious domain; in the second, a QR‑code image fetched from an attacker‑controlled bucket is rendered, allowing a victim to scan it with a phone and be redirected to a phishing site [3].

Disclosure and response

The vulnerability was first reported to OpenAI via Bugcrowd on 29 April 2026, where the company said it could not reproduce the issue [2]. A revised submission on 1 May 2026 added more detailed proof‑of‑concept steps, but OpenAI later treated the report as a duplicate of a previously logged problem [2]. The full details were published on 29 May 2026, coinciding with The Register’s coverage of the attack [1]. The researchers emphasize that the browser’s same‑origin policy offers no protection because the AI operates within the user’s authenticated context, effectively bypassing traditional web security boundaries [2].

Why it matters

The flaw highlights a broader challenge for AI‑integrated browsing tools: without clear separation between external content and model‑generated output, attackers can leverage trusted interfaces to deliver phishing and data‑exfiltration payloads [2]. Security teams are urged to restrict the use of AI summarization on pages that host user‑generated or otherwise untrusted content, enforce human approval before interacting with any links rendered by the assistant, and monitor for unexpected outbound image fetches [2]. As AI assistants become more embedded in everyday workflows, addressing prompt‑injection risks will be essential to prevent the browser itself from becoming a low‑barrier phishing delivery surface.