ChatGPhish Flaw Turns ChatGPT Summaries Into Phishing Attacks

Cybersecurity researchers have disclosed a vulnerability in OpenAI’s ChatGPT that exploits the AI assistant's implicit trust in Markdown links and images to facilitate phishing attacks. Codenamed ChatGPhish by Permiso Security, the technique leverages the chatbot's web summarization feature to render malicious content directly within the trusted interface [1].

Key takeaways

• The ChatGPhish vulnerability exploits how ChatGPT renders Markdown links and images from third-party web pages [1].
• Attackers can embed payloads in web pages that leak user data, such as IP addresses and User-Agent details, when ChatGPT summarizes the content [1].
• The flaw allows malicious links and fake security alerts to appear as clickable elements inside the AI assistant's response [1].
• This attack vector shifts the risk from email attachments to routine browsing, as simply summarizing a page can trigger the exploit [2].

How summarization becomes a weapon

The vulnerability stems from the chatgpt.com response renderer, which automatically trusts and fetches Markdown images and links found on third-party pages that the assistant summarizes [1]. Security researcher Andi Ahmeti noted that this process auto-fetches images and surfaces links as live, clickable elements within the trusted user interface [1]. In a hypothetical attack scenario, a bad actor can append a small payload to a web page; when a victim prompts ChatGPT to summarize that page, the assistant fetches attacker-hosted images embedded in the content [1].

This mechanism can leak sensitive information, including the victim's IP address, User-Agent, and Referer details [1]. Beyond data leakage, the technique can render malicious Markdown links as live elements, serve fake system-style security alerts, or display QR codes hosted by an attacker [1]. These QR codes can trick victims into scanning them with a mobile device, effectively bypassing desktop URL filters and enterprise security controls [1].

A shift in the enterprise attack surface

The researchers emphasize that the significance of ChatGPhish lies not in the prompt injection itself, but in how instructions embedded in a web page are followed and presented to the user as part of the summary [1]. This means a regular web page is sufficient to render phishing links, spoofed account alerts, and QR codes directly inside a trusted AI interface [1]. As organizations increasingly rely on ChatGPT for research, any malicious web page an employee asks the AI to process could contain a payload that transforms the tool into a phishing surface [1].

Permiso Security noted that this shift from email to the browser significantly expands the potential attack surface, as users no longer need to open malicious attachments or interact with suspicious messages [1]. Simply summarizing a page during normal browsing activity can introduce attacker-controlled instructions into the model context and the rendered response [1]. This finding follows earlier research on Copilot and coincides with broader attacks targeting AI coding agents, such as SymJack and TrustFall [2].