Cybersecurity researchers have disclosed a flaw in OpenAI ChatGPT that can turn summarized web pages into phishing vectors by rendering attacker-controlled Markdown links, images and QR codes inside the assistant interface, according to a technical analysis by Permiso Security.
KEY FACTS
- Name The technique is codenamed ChatGPhish.
- Effect Summarized pages can produce live clickable links, remote images and QR codes inside ChatGPT.
- Data exposure Auto-fetched images can leak IP, User-Agent and Referer details.
- Risk A malicious page could be enough to start a phishing flow during ordinary browsing.
The report says a small payload added to a web page can be carried into the model context when a user asks ChatGPT to summarize that page. When the answer is rendered, the assistant may fetch attacker-hosted images and display links as trusted-looking elements.
That behavior can be used to show fake security alerts, direct users to malicious sites or present a QR code from an attacker-controlled bucket for scanning on a mobile device. The technique is aimed at bypassing desktop URL filters and some enterprise controls.
Permiso said the shift from email to the browser broadens the attack surface because a user does not need to open an attachment or reply to a suspicious message. Simply summarizing a page during normal browsing can introduce attacker-controlled instructions into the output.
The disclosure comes as other researchers have outlined separate attacks against AI coding agents, browser extensions and agent frameworks, underscoring a wider effort by attackers to target systems that can act on behalf of users.
WHY IT MATTERS
The issue shows that AI assistants can become part of the phishing path when they render untrusted content in a trusted interface. For organizations that rely on ChatGPT for research or summarization, a malicious web page may create risks even without a direct user click on the original site.