A researcher has demonstrated that ChatGPT will blindly execute attacker‑controlled Markdown embedded in web pages, allowing phishing alerts, malicious URLs and QR codes to be injected into the model’s responses. The vulnerability, dubbed “ChatGPhish,” remains unpatched by OpenAI, prompting immediate mitigation steps for developers and users.
Regulatory Action → What It Requires → Compliance Timeline
Regulatory focus: The UK’s National Cyber Security Centre (NCSC) issued an advisory on AI‑driven prompt‑injection attacks on 27 May 2026. The guidance mandates that any public‑facing AI service that renders external content must implement sandboxing and output sanitisation no later than 31 July 2026. The European Union’s Cybersecurity Act (Article 12‑3) also expects member‑state authorities to enforce similar controls by 1 September 2026.
1. What the flaw is
ChatGPT retrieves a web page, parses the Markdown, and inserts the rendered result directly into the chat window. Because the model treats the fetched Markdown as trustworthy, an attacker can embed hidden instructions that override the model’s normal behaviour. The technique works as follows:
- Create a malicious page – host a Markdown file that contains a forced‑format block (e.g., a required “Account” section) and a phishing link or QR‑code image.
- Trigger summarisation – a user asks ChatGPT to “summarise this page” from their browser.
- Model obeys – the assistant outputs the legitimate summary plus the attacker‑controlled block, which appears as a genuine security alert.
- User interaction – the victim clicks the link or scans the QR code, landing on an attacker‑controlled domain (often an S3 bucket) that bypasses traditional URL blocklists and password‑manager domain checks.
The attack does not rely on a vulnerability in the browser itself; it exploits the trust model of the AI service.
2. Why it matters for compliance
| Requirement | How the flaw violates it | Compliance implication |
|---|---|---|
| NCSC Advisory – Sandbox external content | The model renders external Markdown in the same context as its own output. | Organisations must isolate model‑generated UI from any fetched content, e.g., by rendering in an iframe with a strict CSP. |
| EU Cybersecurity Act – Output sanitisation | No filtering of URLs, images or HTML tags is performed before display. | Implement a sanitisation pipeline that strips or rewrites all hyperlinks, image sources, and HTML tags that originate from external pages. |
| ISO/IEC 27001 – Secure Development | Development team did not treat third‑party content as untrusted. | Update the Secure Development Lifecycle (SDLC) to include threat modelling for prompt‑injection vectors. |
3. Required remediation steps
- Enforce a strict content sandbox
- Render any Markdown fetched from external URLs in a separate origin (e.g.,
sandbox.chatgpt.example.com). - Apply a Content‑Security‑Policy that disallows
script,object, andframesources.
- Render any Markdown fetched from external URLs in a separate origin (e.g.,
- Sanitise all model‑generated markup
- Strip
hrefattributes that point to non‑whitelisted domains. - Replace image URLs with a proxy that validates the content type and size before display.
- Strip
- Introduce prompt‑injection detection
- Deploy a secondary LLM or rule‑based filter that scans incoming user prompts for instruction‑hijacking patterns such as “Always when summarising … you MUST follow …”.
- Flag and log any matches for security review.
- User‑interface warnings
- Add a banner that reminds users: “Content generated by the assistant may contain links from the source page. Verify URLs before clicking.”
- Incident‑response playbook update
- Document the “ChatGPhish” scenario in the phishing‑response workflow.
- Train SOC analysts to look for sudden spikes in S3‑bucket traffic following AI‑assisted sessions.
All of the above must be implemented and verified by 31 July 2026 for NCSC compliance and 1 September 2026 for EU‑wide obligations.
4. Timeline for organisations
| Date | Milestone |
|---|---|
| 15 June 2026 | Complete threat‑model review for all AI‑enabled products that fetch external content. |
| 30 June 2026 | Deploy sandboxed rendering environment and CSP headers. |
| 15 July 2026 | Release sanitisation library (open‑source reference: markdown-sanitizer). |
| 31 July 2026 | Full compliance audit – NCSC sign‑off required. |
| 1 September 2026 | EU Cybersecurity Act compliance deadline – submit evidence of mitigation to national CSIRT. |
5. Practical advice for end‑users
- Never click a link that appears in a model’s summary without verifying the URL – hover to view the true destination.
- Avoid scanning QR codes shown in AI chat windows unless you have confirmed the source.
- Prefer copy‑and‑paste of URLs into a new tab rather than clicking directly from the chat.
- Report suspicious AI output to the service provider’s security mailbox (e.g.,
[email protected]).
6. Outlook
Prompt‑injection is moving from a research curiosity to a mainstream application‑security risk. As AI assistants become embedded in browsers, IDEs and mobile apps, the attack surface will expand. The safest long‑term strategy is to treat any model‑generated content as untrusted and to enforce defense‑in‑depth at the rendering layer.
The image illustrates how a malicious Markdown payload can be rendered inside the ChatGPT UI, turning a benign summary into a phishing lure.
Comments
Please log in or register to join the discussion