How the Attack Works
Security researchers at Permiso Security have uncovered a technique called ChatGPhish that exploits how OpenAI’s ChatGPT renders web page summaries. The vulnerability stems from the AI assistant’s trust in Markdown links and images included in third-party content it summarizes. When a user asks ChatGPT to summarize a webpage, the system automatically fetches images embedded in that page using Markdown and displays links as clickable elements within the assistant’s response.
An attacker can weaponize this by adding a small payload to any webpage. When a victim later asks ChatGPT to summarize that page, the assistant fetches attacker hosted images, leaking the user’s IP address, User Agent, and Referer information. The malicious Markdown links also appear as live, interactive elements inside what the user perceives as a trusted AI interface.
Impact and Scope
This technique creates several dangerous scenarios. An attacker can display fake system style security alerts directly within ChatGPT’s response, serve QR codes that redirect to phishing sites, or present spoofed account warnings that trick users into revealing credentials. Since the malicious content appears inside the legitimate ChatGPT interface, victims may lower their guard and trust the warnings.
The finding highlights how simple web page summarization can become an adversarial attack surface. The attack does not require the victim to click a malicious link beforehand. It only requires a user to ask ChatGPT to summarize a page the attacker has previously poisoned. Organizations relying on ChatGPT for research and productivity should treat AI generated summaries as potentially untrusted content until this rendering behavior is addressed.
Source: The Hacker News
