A browser-based prompt injection technique that transforms any web page into a phishing delivery surface by exploiting ChatGPT’s page summarization feature, rendering attacker-controlled links, fake security alerts, and QR codes directly inside the trusted ChatGPT interface.
Researchers at Permiso have disclosed the attack dubbed ChatGPhish, which builds on the same trust-transfer logic previously demonstrated against Microsoft Copilot, where attacker-crafted email content could manipulate AI-generated summaries through Cross Prompt Injection Attacks (XPIA).
ChatGPhish escalates that premise by swapping the bounded email primitive for the browser where users spend the majority of their working day. Any page a user visits and asks ChatGPT to summarize a GitHub README, documentation portal, blog post, or SaaS dashboard can silently carry malicious instructions into the model’s response.
ChatGPT Vulnerability – ChatGPhish Attack
By appending a small instruction payload to any publicly accessible web page, an unauthenticated attacker can influence how ChatGPT structures and renders its summarization output.
Because chatgpt.com‘s response renderer trusts Markdown links and image URLs originating from third-party summarized content, three distinct attack primitives become available:
- UI redress / phishing: Attacker-controlled Markdown links render as live, clickable elements inside the ChatGPT interface with no origin labeling — users cannot distinguish attacker-injected URLs from ChatGPT-generated ones
- Spoofed system alerts: The renderer displays attacker text styled as legitimate “account security” notifications, inheriting the visual trust of the assistant’s own UI
- QR-code pivot: Auto-rendered QR code images fetched from attacker-controlled S3 buckets bypass all desktop URL defenses — hover previews, browser blocklists, and password manager domain checks because the destination only becomes visible after scanning on a second device.
- Passive tracking beacon: Markdown images embedded via URL shorteners (e.g., shorturl.at) are auto-fetched on every render, leaking the victim’s IP address, User-Agent, Referer header, and high-resolution timing to attacker-controlled infrastructure
What makes ChatGPhish particularly dangerous is not just the injection itself, but where the output lands. As OWASP LLM01:2025 identifies, the core risk with prompt injection is that LLMs cannot reliably distinguish between legitimate instructions and attacker-supplied content embedded in retrieved data.
Once that attacker content is processed, it surfaces inside the ChatGPT response window, styled identically to genuine assistant output, complete with formatted alerts, clickable links, and inline images.
The browser’s same-origin policy offers no protection because the AI assistant executes with the user’s authenticated context, making traditional web security boundaries irrelevant.
Permiso submitted the initial vulnerability report to OpenAI via Bugcrowd on April 29, 2026, citing “Untrusted Markdown Rendering Leads to XSS, Phishing, and Data Exfiltration.”
OpenAI responded noting the report could not be reproduced. A revised submission on May 1, 2026, with expanded proof-of-concept steps, was subsequently classified as a duplicate of a previously reported issue.
After follow-up communication on May 7, 2026, clarifying the broader phishing, QR-code, and passive tracking implications, the research was publicly published on May 29, 2026.
Until clear source separation is enforced between retrieved web content and rendered assistant output, security teams should apply the following mitigations:
- Avoid using AI browser summarization features on pages containing user-generated or untrusted content (Reddit, public GitHub READMEs, blogs)
- Restrict AI browser permissions to the minimum necessary; require human approval before any link interaction within summarized responses
- Treat any clickable link, image, or alert appearing inside an AI summary as potentially attacker-controlled until origin attribution is clearly displayed
- Deploy semantic input/output filtering and anomaly detection on AI-integrated surfaces within enterprise environments
- Monitor AI browser activity logs for unexpected outbound image fetch requests to unknown or URL-shortened endpoints
The ChatGPhish research underscores a structural challenge facing all browser-integrated AI summarization systems: as long as attacker-controlled web content can influence rendered assistant output without explicit origin labeling, the browser itself remains a practical, low-barrier delivery surface for phishing, device pivoting, and passive reconnaissance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
