Cybersecurity researchers have disclosed details of a newly identified vulnerability affecting OpenAI ChatGPT that could transform routine web page summaries into potential phishing surfaces. The attack method, named ChatGPhish by Permiso Security, exploits ChatGPT’s handling of Markdown links and images from third party websites summarized through the assistant. According to researchers, the issue stems from ChatGPT’s tendency to trust and automatically process Markdown content originating from external pages, enabling attackers to inject malicious instructions and deceptive elements directly into the assistant interface. Researchers warned that the flaw may expose users to phishing campaigns, misleading security alerts, and hidden tracking techniques simply through the process of summarizing a webpage.
Permiso Security researcher Andi Ahmeti explained that the chatgpt.com response renderer automatically trusts Markdown links and image URLs sourced from websites summarized by the assistant. When these elements are processed, ChatGPT retrieves remote images and presents embedded links as active and clickable content inside what users may perceive as a trusted interface. In a possible attack scenario, malicious actors could append hidden payloads to webpages that victims later ask ChatGPT to summarize. This could trigger automatic requests to attacker controlled servers through embedded image links, exposing details such as a victim’s IP address, browser information, and referrer data. Researchers also noted that attackers may inject fraudulent Markdown links that appear legitimate within the AI response, generate fake account warning messages designed to imitate system notifications, or display malicious QR codes hosted remotely in an effort to deceive users into scanning them through mobile devices. Such techniques could potentially bypass traditional desktop URL filtering systems and enterprise security protections.
Researchers described ChatGPhish as an example of how AI summarization tools are increasingly becoming adversarial attack surfaces. Earlier in March, Permiso Security reported a similar issue involving Microsoft Copilot, where attacker controlled emails carrying hidden instructions could influence AI generated summaries through indirect or cross prompt injection methods. What makes ChatGPhish particularly notable, researchers said, is not the existence of prompt injection itself but the manner in which malicious instructions embedded in a webpage are followed and then displayed to users as part of an apparently trustworthy assistant response. As organizations continue integrating ChatGPT into research, browsing, and content review workflows, experts warned that any malicious webpage summarized by employees could effectively turn an AI assistant into a phishing delivery channel.
The disclosure also arrives alongside broader concerns surrounding vulnerabilities targeting AI tools and coding assistants. Security company Adversa AI recently documented two attack methods called SymJack and TrustFall that target AI coding agents and command line coding tools. SymJack reportedly tricks AI assistants into copying seemingly harmless files that secretly overwrite configuration settings through symlink abuse, eventually enabling remote code execution with full user privileges after restart. TrustFall, meanwhile, is described as a one click attack where malicious repositories contain configuration files that automatically approve and launch harmful Model Context Protocol servers without requiring additional user authorization. Researchers noted that developers who clone a malicious repository and approve a routine folder trust prompt could unknowingly trigger attacker controlled code execution with extensive system privileges. Additional research in recent months has highlighted a growing number of AI related attack methods, including jailbreak approaches, vulnerabilities affecting browser extensions, prompt injection flaws, unsafe AI agent ecosystems, and weaknesses in enterprise AI frameworks. Cybersecurity researchers have cautioned that threat actors are increasingly experimenting with artificial intelligence to automate reconnaissance, privilege escalation, malware deployment, and credential theft at greater speed and scale.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
