ChatGPhish Turns ChatGPT Summaries Into a Live Phishing Vector

What happened? Security researchers at Permiso Security reported a flaw they call ChatGPhish that lets a malicious web page turn a ChatGPT summary into a phishing delivery platform. When a user asks ChatGPT to summarize a URL, the model fetches the page, extracts the relevant text, and then renders the response in the chat UI. The renderer treats any Markdown link ([text](https://example.com)) or image (![](https://example.com/image.png)) that appeared in the source page as a live, clickable element inside the trusted assistant interface. Because the UI automatically downloads those images, an attacker can embed a tiny tracking pixel or a QR‑code image that is fetched as soon as the answer appears.

Why it matters The vulnerability sidesteps traditional phishing defenses that focus on email attachments or suspicious URLs. The user never clicks a link; the malicious content is rendered automatically inside the ChatGPT window, which most organizations trust. In a proof‑of‑concept, a single‑pixel image hosted on the attacker’s server received the victim’s IP address, User‑Agent string, and the HTTP Referer header (the original page URL). That data alone can be used to fingerprint the user’s environment and launch further targeted attacks.

How the attack works

1. Inject a payload into a public web page – The attacker adds a Markdown image tag or a disguised link to a site that is likely to be summarized (e.g., a news article, a product page, or a documentation site).
2. Victim asks ChatGPT to summarize the URL – The model pulls the page, extracts the text, and includes the raw Markdown in its response.
3. ChatGPT UI renders the Markdown – The built‑in renderer automatically fetches the image and makes the link clickable, exposing the attacker’s server to the victim’s browser.
4. Optional escalation – The attacker can serve a QR code that, when scanned on a mobile device, leads to a malicious site, or they can display a fake security‑alert banner that tricks the user into entering credentials.

Expert perspective

“The chatgpt.com response renderer trusts Markdown links and image URLs that originated from a third‑party page the assistant has just summarized. It auto‑fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI,” explains Andi Ahmeti, senior researcher at Permiso Security, in the full disclosure.

Real‑world impact

• Enterprise research – Teams using ChatGPT for quick market or technical research could inadvertently expose internal IP ranges or credential‑filled browsers to external servers.
• Bypassing URL filters – Because the request originates from the OpenAI UI, corporate web proxies that block outbound requests to known malicious domains may not see the traffic, especially if the image is hosted on a reputable CDN.
• Mobile device compromise – A QR code displayed in the chat can be scanned by a user’s phone, taking them to a phishing site that bypasses desktop‑only defenses.

Related AI‑focused attacks ChatGPhish is part of a growing suite of AI‑specific techniques uncovered in 2026:

• SymJack and TrustFall – Attacks on AI coding agents that manipulate repository files to achieve remote code execution.
• Involuntary In‑Context Learning (IICL) – A jailbreak method that leverages the tension between in‑context learning and safety alignment to bypass model guardrails.
• ClaudeBleed – A Chrome extension flaw that lets any script talk to Anthropic’s Claude extension without permission checks.
• WebPromptTrap – An indirect prompt‑injection bug in the open‑source BrowserOS agent that tricks users into authorizing malicious actions.

Practical takeaways for defenders

1. Treat AI summaries as untrusted input – Do not assume that a ChatGPT response is safe just because it appears inside the official UI.
2. Disable automatic image loading – If your organization uses the ChatGPT web UI, configure browser policies (e.g., Content‑Security‑Policy img-src 'self') to block third‑party image requests from the OpenAI domain.
3. Monitor outbound traffic – Look for unexpected GET requests to image‑hosting domains that coincide with ChatGPT usage spikes.
4. Educate users – Remind employees that clicking on links or scanning QR codes that appear in AI‑generated answers can be malicious, even if the UI looks official.
5. Consider sandboxed AI tools – Deploy self‑hosted LLM front‑ends that allow you to strip Markdown or sanitize rendered content before displaying it to end users.

What OpenAI is doing OpenAI has acknowledged the issue and is working on a fix that will sanitize Markdown links and images originating from external pages before they are rendered. In the meantime, the company recommends users enable the “Safe mode” toggle and avoid summarizing untrusted URLs.

Looking ahead The ChatGPhish discovery underscores a broader trend: as generative AI becomes a primary research tool, the line between “trusted UI” and “untrusted content” blurs. Attackers will continue to embed malicious instructions in the very data that AI models consume, turning summarization, code generation, and even image captioning into vectors for credential theft and lateral movement.

Bottom line Enterprises should treat AI‑assisted workflows with the same scrutiny they apply to email and web browsing. By applying strict content sanitization, monitoring outbound requests, and training staff to question unexpected UI elements, organizations can reduce the risk that a harmless‑looking summary becomes a phishing conduit.

---

For a deeper dive into the technical details, read the full Permiso Security report here.