ChatGPhish: ChatGPT auto-renders attacker Markdown links, images, and QR codes from summarized web pages as trusted clickable phishing
Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.
- Check
- Warn staff that ChatGPT summaries of untrusted pages can render attacker links, fake alerts, and QR codes. Treat clickable elements in AI summaries with the same caution as email links.
- Affected
- Any organization using ChatGPT for research or summarization of third-party web content. The trusted-UI rendering of attacker Markdown bypasses normal phishing-awareness instincts and desktop URL filters.
- Fix
- Apply OpenAI's fix once available. Train users not to scan QR codes or click links surfaced inside AI summaries without verification. Restrict enterprise ChatGPT connectors that auto-summarize untrusted URLs.