Summaries
ChatGPhish — Markdown Injection Turns ChatGPT Summaries Into a Phishing Surface
Permiso Security's ChatGPhish research shows how ChatGPT's Markdown rendering of summarized web pages can be weaponized to deliver phishing links, spoofed alerts, and QR codes inside the trusted assistant UI.
View on Graph
Summary
Permiso Security has disclosed a vulnerability in OpenAI ChatGPT’s response renderer that allows attackers to turn legitimate web page summaries into phishing delivery surfaces. The technique, named ChatGPhish, exploits how ChatGPT renders Markdown content from pages it summarizes.
The core issue: ChatGPT’s response renderer trusts Markdown links and image URLs that originate from a third-party page the assistant has just summarized. It auto-fetches images and renders links as live, clickable elements inside the trusted assistant UI. An attacker can append a small payload to any web page — when a victim asks ChatGPT to summarize that page, the assistant fetches attacker-hosted images, leaking the victim’s IP, User-Agent, and Referer headers. Malicious Markdown links appear as legitimate elements within the AI response.
Attack scenarios include serving fake system-style security alerts, delivering QR codes from attacker-controlled S3 buckets that bypass desktop URL filters and enterprise security controls, and embedding phishing links that direct users to credential harvesting pages — all rendered inside what the user perceives as a trusted ChatGPT conversation.
This builds on earlier research by Permiso showing how Microsoft Copilot’s email summarization feature could be exploited via cross-prompt injection (XPIA). The attack surface shift from email to browser-based AI interfaces expands the potential reach significantly — a user no longer needs to open a malicious attachment. Simply asking ChatGPT to summarize a page during normal browsing introduces attacker-controlled content into the model context and into the rendered response.
Why It Matters
As organizations increasingly integrate AI assistants into daily workflows, the summarization feature becomes an attack vector that bypasses traditional security controls. A malicious webpage that passes URL reputation checks, email filters, and web proxies can still weaponize itself against an employee who asks an AI to summarize it. The trust users place in AI interfaces makes them particularly vulnerable to content rendered inside that trusted context. For security teams, ChatGPhish represents a new category of prompt injection risk that requires both technical and awareness-based defenses.
Defender Takeaways
- Educate users that AI-generated summaries can contain attacker-controlled content — the trusted UI is not guaranteed safe.
- Monitor for internal access to known ChatGPhish demonstration pages and weaponized payload URLs.
- Evaluate AI governance policies around what types of web content employees should prompt AI assistants to summarize.
- Review browser security controls — enterprise browsers or web filtering may need to block auto-fetched external content in AI interfaces.
- Watch for platform-level fixes from OpenAI and other AI providers; this is a renderer trust issue that requires vendor-side remediation.
Source
Title: ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface — The Hacker News
URL: https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
Related
- Social Engineering — detection and response for T1566 techniques
- Email Security for Analysts — covers the email security architecture for analysts concepts
- Cloud Threats — detection and response for T1525, T1552, T1613 techniques