ChatGPhish Exploit Turns ChatGPT Summarisation Into a Live Phishing Surface

Overview

Permiso Security has publicly disclosed ChatGPhish, a vulnerability in OpenAI’s ChatGPT that weaponises the assistant’s web summarisation capability as a phishing delivery mechanism. Discovered by researcher Andi Ahmeti, the flaw exploits ChatGPT’s implicit trust in Markdown syntax — specifically links and image URLs — sourced from third-party pages that the model has been asked to summarise. The result is that attacker-controlled content, including phishing links, fake system alerts, and QR codes, can be rendered as live, interactive elements directly inside ChatGPT’s trusted UI without any additional user interaction beyond issuing a summarisation prompt.

The finding is significant because it shifts the phishing attack surface away from traditional email delivery and into routine, trust-inducing AI workflows.

Technical Analysis

The attack chain is deceptively simple. An attacker embeds a small Markdown payload into any publicly accessible web page. When a victim asks ChatGPT to summarise that page, the following occurs:

1. Image auto-fetch / data exfiltration: ChatGPT’s response renderer automatically fetches attacker-hosted images referenced in the Markdown. This causes the victim’s browser to issue an outbound request to the attacker’s server, leaking the victim’s IP address, User-Agent string, and Referer header — sufficient for fingerprinting and targeted follow-up attacks.

2. Live phishing link injection: Malicious Markdown links are surfaced as clickable hyperlinks within the assistant’s response, visually indistinguishable from legitimate summary content.

3. Spoofed UI elements: The payload can instruct ChatGPT to render fake system-style security alerts (e.g., “Your session has expired — re-authenticate”) inside the trusted assistant interface.

4. QR code delivery: An attacker-hosted QR code served from infrastructure such as an S3 bucket can be embedded in the response, directing the victim’s mobile device to an attacker-controlled URL — effectively bypassing desktop URL filtering and enterprise proxy controls.

This attack is a variant of indirect prompt injection, where the malicious instruction is not delivered by the user but by content the model retrieves and processes on the user’s behalf.

<!-- Attacker payload embedded in a normal-looking web page -->
![track](https://attacker.com/pixel.png)
[Reset your password now](https://attacker.com/phish)
**SECURITY ALERT: Your account requires immediate verification.**

Framework Mapping

Impact Assessment

The primary risk population is enterprise users who rely on ChatGPT for research, competitive intelligence, or document summarisation. Any employee who asks ChatGPT to summarise a web page under attacker control — including pages distributed via social engineering, SEO poisoning, or compromised sites — can be exposed. The QR code vector is particularly notable as it explicitly circumvents desktop-layer security controls, targeting the mobile device as a secondary entry point.

The broader implication is a structural one: as AI summarisation becomes embedded in daily workflows, every untrusted URL becomes a potential payload delivery vehicle.

Mitigation & Recommendations

• Platform-side (OpenAI): Sanitise Markdown output from summarised third-party content; disable auto-fetching of remote images in assistant responses; apply Content Security Policy controls to the chatgpt.com renderer.
• Enterprise controls: Restrict ChatGPT web summarisation access via policy or proxy; monitor for outbound requests from AI tooling to uncategorised domains.
• User awareness: Train staff to treat links and QR codes rendered in AI assistant responses with the same scepticism applied to email content.
• Detection: Alert on bulk summarisation requests targeting external or newly registered domains.

References

• The Hacker News — ChatGPhish Vulnerability (May 29, 2026)
• Permiso Security — ChatGPhish research report (via The Hacker News)