top of page

ChatGPT Web Summary Vulnerability Enables Phishing Attacks Through Malicious Page Redirects

  • May 30
  • 4 min read

Key Findings


  • Permiso Security discovered ChatGPhish, a vulnerability in ChatGPT that exploits the AI's trust in Markdown links and images to enable prompt injection and phishing attacks

  • Attackers can embed malicious payloads in web pages that ChatGPT summarizes, causing automatic image fetching that leaks user IP addresses, User-Agent data, and Referer information

  • The vulnerability transforms ChatGPT's response interface into a phishing surface by rendering malicious links, fake security alerts, and QR codes as legitimate elements within the trusted AI UI

  • No special prompts or user interaction beyond normal summarization is required to trigger the attack

  • Related vulnerabilities in AI coding agents (SymJack and TrustFall) enable remote code execution through malicious repositories


Background


ChatGPT's web summarization feature has become a valuable tool for researchers and organizations seeking quick insights from web content. However, this convenience has created an unexpected security gap. The vulnerability stems from how ChatGPT's response renderer handles content from third-party pages. When users ask ChatGPT to summarize a webpage, the AI processes and presents the information back with any embedded Markdown links and images rendered as live, clickable elements. The critical flaw is that ChatGPT implicitly trusts these elements without validating their origin or intent, treating them as safe components of the summary.


How ChatGPhish Works


An attacker starts by injecting a small payload into a legitimate-looking web page. When a victim asks ChatGPT to summarize that page, the AI processes it normally and includes the attacker's embedded content in its response. The chatgpt.com renderer then automatically fetches images referenced in the Markdown, which triggers network requests to attacker-controlled servers. This innocent-seeming image fetch reveals the victim's IP address, browser User-Agent string, and HTTP Referer header - valuable reconnaissance data for targeted attacks.


Beyond passive information gathering, attackers can use the same technique to render malicious Markdown links as clickable elements directly inside ChatGPT's interface. To the user, these links appear legitimate because they're presented within the trusted ChatGPT UI, not on a suspicious external website.


Attack Scenarios in Practice


The vulnerability enables several sophisticated attack chains. An attacker could craft a QR code hosted on their own server and embed it in a web page marked for summarization. When ChatGPT renders the summary, the QR code appears legitimate and scannable. The victim, believing they're interacting with official ChatGPT content, scans the code with their mobile device - potentially bypassing desktop-based URL filters and enterprise security controls that might otherwise flag the malicious destination.


Fake system-style security alerts can be embedded the same way. Imagine a summary that includes what appears to be an official ChatGPT or account security warning, complete with a clickable link prompting credential entry. The victim sees this within their trusted AI assistant interface and may not question its authenticity.


For enterprise environments, this is particularly dangerous. As organizations increasingly rely on ChatGPT for research and due diligence, any malicious webpage an employee asks the AI to process becomes a potential attack vector. The employee believes they're simply performing legitimate work while actually introducing attacker-controlled instructions into ChatGPT's response.


Why Summarization is the Vulnerability


What distinguishes ChatGPhish from typical prompt injection attacks is the attack surface itself. Traditional prompt injection requires users to interact with suspicious content or follow unusual instructions. ChatGPhish exploits normal, expected user behavior. An employee researching a topic and asking ChatGPT to summarize a page is performing their job exactly as intended. The attacker's payload rides along invisibly, embedded in ordinary web page content.


Permiso Security noted that this shift from email-based attacks to the browser dramatically expands the threat landscape. Users no longer need to open malicious attachments or fall for obviously suspicious messages. Simply summarizing a page during routine browsing can introduce attacker instructions into the model's context and ultimately into the rendered response.


Related Threats in AI Systems


The ChatGPhish disclosure arrives alongside other newly documented vulnerabilities targeting AI systems. Adversa AI identified two attack techniques against AI coding agents: SymJack and TrustFall.


SymJack tricks coding agents into copying what appears to be harmless files, but the destination is actually a symlink pointing to the agent's own configuration files. The attacker's payload gets written to the config, and on the next restart, a malicious Model Context Protocol server spawns with full user privileges.


TrustFall is more direct. An attacker creates a repository containing a malicious MCP server and configuration settings that auto-approve its execution. When a developer opens the repository in an AI coding tool and clicks the standard "trust this folder" dialog, the attacker's code launches immediately with the developer's full system privileges. No additional prompts or tool calls are needed.


Broader Pattern of AI Vulnerabilities


These disclosures reflect a growing trend of vulnerabilities targeting the implicit trust users place in AI systems. Recent months have seen attacks exploiting novel jailbreak techniques like Involuntary In-Context Learning, which weaponizes the tension between how AI models learn from context and their safety alignment guardrails. The pattern suggests that as AI tools become more integrated into daily workflows, attackers are shifting from targeting the technology itself to exploiting user behavior and organizational trust in these systems.


Sources


  • https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1trcbbh/chatgphish_vulnerability_turns_chatgpt_web

  • https://aiweekly.co/alerts/permiso-security-exposes-chatgpt-as-live-phishing-surface

  • https://www.perplexity.ai/page/eaade773-9a5d-43fe-880c-def4dc930e86

  • https://cybersecuritynews.com/chatgpt-vulnerability-chatgphish-attack

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page