ChatGPhish Vulnerability Exposes ChatGPT to Phishing Attacks

Security researchers at Permiso Security have uncovered a critical vulnerability in OpenAI's ChatGPT, dubbed ChatGPhish, that transforms the AI assistant's web summarization feature into a potential phishing delivery mechanism. The flaw exploits ChatGPT's implicit trust in Markdown links and images when processing summarized content from third-party web pages. Researcher Andi Ahmeti documented how the chatgpt.com response renderer automatically fetches images and renders links from summarized pages as live, clickable elements within the trusted assistant interface, creating a direct pathway for malicious content delivery.

In a practical attack scenario, threat actors can inject a simple payload into any web page that a victim subsequently asks ChatGPT to summarize. When rendered, the summary automatically triggers requests to attacker-controlled image servers, exfiltrating victim IP addresses, User-Agent strings, and HTTP Referer headers. Beyond passive data collection, the vulnerability enables malicious Markdown links to appear as legitimate system-generated security alerts, and permits attackers to serve QR codes from their own S3 buckets, potentially bypassing enterprise security controls and desktop URL filtering mechanisms.

The attack vector represents a significant expansion of the traditional phishing surface. Unlike conventional email-based attacks requiring malicious attachments or suspicious messages, ChatGPhish requires only that a user ask ChatGPT to summarize a seemingly innocent web page during normal browsing activity. Organizations deploying ChatGPT for research and document summarization are particularly at risk, as any compromised web page processed by the assistant could weaponize the trusted AI interface. This follows a March disclosure by Permiso demonstrating similar indirect prompt injection via Microsoft Copilot summarizing specially crafted email content.

Organizations should audit their AI tool usage policies and consider implementing browser-level protections such as the browser fingerprint test to understand exposed identifiers, along with the SSL/TLS checker to verify legitimate secure connections. Users concerned about credential exposure from such attacks can leverage the email breach checker to determine if their accounts have been compromised in related incidents.