ChatGPhish flaw turns ChatGPT summaries into phishing traps

Permiso Security disclosed a vulnerability it calls ChatGPhish that affects ChatGPT’s web summary feature. The issue lets an attacker append malicious Markdown links or images to any web page so the assistant auto-fetches and renders that content when the page is summarized.

When ChatGPT retrieves attacker-hosted images, the server hosting those images can receive the requester’s IP address, User-Agent string and Referer header. Rendered responses can include live clickable links, spoofed system-style alerts and QR codes served from attacker storage. QR codes can be scanned by mobile devices and can bypass desktop URL filters and some enterprise controls.

Permiso wrote that the chatgpt.com response renderer trusts Markdown links and image URLs that originated from the third-party page the assistant has just summarized and automatically fetches those images as the answer is displayed. In a proof-of-concept, a small payload added to a page caused the assistant to retrieve a remote image and reveal header information to the attacker’s server.

Permiso added that the attack surface is not limited to email or attachments because a user can trigger the issue by asking ChatGPT to process a web page during normal browsing. Summarizing a page can introduce attacker-controlled content into the model context and into the rendered response, according to the report.

Other recent research describes methods that target AI assistants and developer tools. One set of techniques named SymJack and TrustFall uses malicious repositories and configuration files to trick coding assistants into copying files that overwrite their own configuration or into auto-approving a hostile Model Context Protocol (MCP) server. These actions can allow attacker code to run with the user’s privileges after the tool restarts or after a developer accepts a generic trust prompt.

Researchers have also demonstrated a jailbreak method that exploits multi-turn in-context learning, and a typographic prompt injection that hides instructions inside images to bypass vision-language filters. Additional findings have included vulnerabilities in browser extensions and SDKs that let untrusted scripts invoke assistants, and kernel- and SDK-level flaws that could escalate prompt injections into host-level code execution. Vendors have issued patches for several of these issues in recent updates.

An audit of agent skill ecosystems found about 13.4% of roughly 4,000 skills had at least one critical security issue, including exposed secrets and prompt injection vectors. Security teams have also shown proof-of-concept agents that chain reconnaissance, exploitation and data exfiltration steps to automate cloud attacks with minimal human guidance.

Permiso reported the ChatGPhish details to the platform owner and published technical notes and mitigation guidance, including steps to prevent untrusted content from being auto-fetched or auto-rendered inside the assistant interface.