A browser-based prompt injection technique that weaponizes ChatGPT’s page summarization capability, allowing attackers to embed phishing links, spoofed security alerts, and QR codes directly inside the trusted ChatGPT interface without any visible warning to the user.
The attack, dubbed ChatGPhish, was disclosed by Permiso security researchers and builds on trust-transfer logic previously demonstrated against Microsoft Copilot, where Cross Prompt Injection Attacks (XPIA) allowed attacker-crafted email content to manipulate AI-generated summaries.
ChatGPhish escalates that premise by targeting the browser the environment where users spend the majority of their working day.
Any page a user asks ChatGPT to summarize a GitHub README, documentation portal, blog post, or SaaS dashboard can silently carry malicious instructions into the model’s response.
By appending a small instruction payload to any publicly accessible web page, an unauthenticated attacker can directly influence how ChatGPT structures and renders its summarization output.
Because chatgpt.com’s response renderer trusts Markdown links and image URLs originating from third-party summarized content, researchers identified four distinct attack primitives:
- UI redress phishing: Attacker-controlled Markdown links render as live, clickable elements inside ChatGPT with no origin labeling users cannot distinguish injected URLs from genuine ChatGPT-generated ones
- Spoofed system alerts: The renderer displays attacker text styled as legitimate “account security” notifications, inheriting the visual trust of the assistant’s own interface
- QR-code pivot: Auto-rendered QR code images fetched from attacker-controlled S3 buckets bypass all desktop URL defenses hover previews, browser blocklists, and password manager domain checks because the destination only becomes visible after scanning on a second device
- Passive tracking beacon: Markdown images embedded via URL shorteners are auto-fetched on every render, leaking the victim’s IP address, User-Agent, Referer header, and high-resolution timing to attacker-controlled infrastructure
What makes ChatGPhish particularly dangerous is not the injection itself, but where the output lands. As OWASP LLM01:2025 identifies, the core risk with prompt injection is that LLMs cannot reliably distinguish between legitimate instructions and attacker-supplied content embedded in retrieved data.
Once processed, attacker content surfaces inside the ChatGPT response window styled identically to genuine assistant output complete with formatted alerts, clickable links, and inline images.
The browser’s same-origin policy offers no protection because the AI assistant executes with the user’s authenticated context, rendering traditional web security boundaries irrelevant.
Permiso submitted the initial vulnerability report to OpenAI via Bugcrowd on April 29, 2026, citing “Untrusted Markdown Rendering Leads to XSS, Phishing, and Data Exfiltration.” OpenAI responded that the report could not be reproduced.
A revised submission on May 1, 2026 with expanded proof-of-concept steps was classified as a duplicate of a previously reported issue. After follow-up communication on May 7, 2026, the research was publicly published on May 29, 2026.
Recommended Mitigations
Until clear source separation is enforced between retrieved web content and rendered assistant output, security teams should:
- Conduct security awareness training on AI summarization risks within the organization
- Avoid using AI browser summarization on pages with user-generated or untrusted content such as Reddit, public GitHub READMEs, and blogs
- Restrict AI browser permissions to the minimum necessary and require human approval before any link interaction within summarized responses
- Treat any clickable link, image, or alert inside an AI summary as potentially attacker-controlled until origin attribution is clearly displayed
- Deploy semantic input/output filtering and anomaly detection on AI-integrated surfaces within enterprise environments
- Monitor AI browser activity logs for unexpected outbound image fetch requests to unknown or URL-shortened endpoints
ChatGPhish underscores a structural challenge facing all browser-integrated AI summarization systems: as long as attacker-controlled web content can influence rendered assistant output without explicit origin labeling, the browser remains a practical, low-barrier phishing and passive reconnaissance delivery surface.
No Comment! Be the first one.