← All articles

ChatGPhish: ChatGPT auto-renders attacker Markdown links, images, and QR codes from summarized web pages as trusted clickable phishing

Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.

Check
Warn staff that ChatGPT summaries of untrusted pages can render attacker links, fake alerts, and QR codes. Treat clickable elements in AI summaries with the same caution as email links.
Affected
Any organization using ChatGPT for research or summarization of third-party web content. The trusted-UI rendering of attacker Markdown bypasses normal phishing-awareness instincts and desktop URL filters.
Fix
Apply OpenAI's fix once available. Train users not to scan QR codes or click links surfaced inside AI summaries without verification. Restrict enterprise ChatGPT connectors that auto-summarize untrusted URLs.