ChatGPhish: untrusted Markdown turns ChatGPT summaries into phishing
Permiso disclosed ChatGPhish on 29 May 2026: a web page you ask ChatGPT to summarize can render attacker links, fake alerts, QR codes and tracking pixels inside the trusted assistant UI.
What is this?
ChatGPhish is an indirect prompt injection technique disclosed by Permiso Security on 29 May 2026, in a report by threat hunter Andi Ahmeti titled ChatGPhish: The Page Is the Payload. The finding was first submitted to OpenAI through Bugcrowd on 29 April 2026 under the title Untrusted Markdown Rendering Leads to XSS, Phishing, and Data Exfiltration, and made public after a month without a vendor fix.
The core problem is a trust boundary failure in how ChatGPT renders its own answers. When a user asks the assistant to summarize a third-party web page, the chatgpt.com response renderer trusts the Markdown links and image URLs that came out of that untrusted page. It auto-fetches the images and surfaces the links as live, clickable elements inside the trusted assistant interface. The summary the user reads is no longer purely model-generated text — it can carry content the attacker planted.
How it works
The attacker does not need access to the victim’s account or a browser bug. They only need a web page they control and a victim who asks ChatGPT to summarize it. A small payload appended to an otherwise ordinary page rides through summarization into the rendered answer.
From there, Permiso demonstrates four primitives, all built on the renderer auto-trusting Markdown that originated from the summarized page:
- Tracking pixels. An attacker-hosted image embedded in the page is fetched automatically when the answer renders, leaking the victim’s IP address, User-Agent and Referer to the attacker’s server — a silent beacon on every render.
- Live phishing links. Attacker-controlled Markdown links are presented as clickable elements indistinguishable from model-generated output, inheriting the credibility of the assistant UI.
- Spoofed system alerts. The injected content can imitate ChatGPT’s own styling to display fake account or security warnings, steering the user toward a credential-harvesting page.
- QR-code pivot. A QR code served from an attacker bucket is rendered inline; scanning it moves the victim to a mobile device, side-stepping desktop URL filtering and enterprise controls.
This is OWASP LLM01 prompt injection, but the noteworthy part is not the injection itself — it is that the instructions embedded in a page are followed and surfaced to the user as part of the summary. Permiso frames it as a shift from email to the browser: the user no longer has to open a suspicious attachment, only to summarize a page during normal browsing. It echoes Permiso’s earlier March 2026 work on a comparable cross-prompt injection (XPIA) through Microsoft Copilot email summaries.
Why it matters
Summarization is one of the most common, most trusted assistant features, and organizations increasingly route research and triage through it. ChatGPhish turns that habit into an attack surface: any page an employee asks the assistant to process can carry a payload, and the output lands inside an interface users have been trained to trust. The data-exfiltration primitive is passive and needs no click at all, while the phishing and QR primitives exploit the assistant’s perceived authority to lower the victim’s guard. The same pattern generalizes to any LLM product that renders rich Markdown from summarized untrusted content.
It is not a remote-code-execution bug and it requires the user to initiate a summary of attacker-influenced content, which bounds its reach. Treat it as a high-frequency, low-friction phishing and tracking vector rather than a system-compromise vulnerability.
Defenses
For teams building or deploying LLM summarization:
- Do not auto-fetch remote images from model output derived from untrusted content. Defer or proxy image loads so a render cannot become a tracking beacon, and strip request metadata.
- Neutralize links from summarized content. Render attacker-derived URLs as inert text, show the full destination, or gate them behind an explicit “this link came from the page, not from the assistant” warning.
- Separate model chrome from content. Never let summarized text reproduce the product’s own alert or system styling; reserve trusted UI affordances for first-party messages.
- Apply the lethal-trifecta discipline. Untrusted input plus a rendering channel that reaches the user is enough for harm here; keep summarized content from driving privileged UI or outbound requests.
- For users: treat an AI summary of an unknown page as you would the page itself — do not click links, scan QR codes, or act on security alerts that appear inside a summary.
Status
| Item | Detail |
|---|---|
| Disclosed by | Permiso Security (Andi Ahmeti) |
| Reported to OpenAI | 29 April 2026 (Bugcrowd) |
| Public disclosure | 29 May 2026 |
| Class | Indirect / cross-prompt injection (OWASP LLM01) |
| Impact | Data exfiltration, phishing, spoofed alerts, QR pivot |
| Vendor fix at disclosure | None reported |
ChatGPhish is a documented, responsibly disclosed technique, not a payload library. The lesson outlives the specific product: when an assistant renders rich content derived from untrusted pages, the rendering layer is part of the attack surface and must be treated as hostile output.
Sources
- → https://permiso.io/blog/chatgpt-markdown-rendering-vulnerability
- → https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html
- → https://www.theregister.com/research/2026/05/29/chatgpt-prompt-injection-turns-web-pages-into-phishing-lures/5248137
- → https://adversa.ai/blog/top-genai-security-resources-june-2026/