ChatGPhish vulnerability turns ChatGPT into phishing tool

On May 30, 2026, Permiso Security disclosed a new attack vector called ChatGPhish that exploits ChatGPT’s handling of Markdown links and images, turning ordinary web summaries into a phishing surface.

Key Takeaways

• ChatGPhish uses auto‑fetching of images and live rendering of links in ChatGPT’s UI.
• Attackers can harvest IP, User-Agent, and Referer data simply by embedding malicious images.
• Phishing links, fake security alerts, and QR codes can appear inside the trusted assistant interface.
• The flaw expands the attack surface from email attachments to any web page a user asks ChatGPT to summarize.
• Mitigations will likely involve stricter rendering policies and user warnings.

ChatGPhish vulnerability: How malicious markdown turns ChatGPT into a phishing surface

What’s surprising is that the exploit doesn’t need any special code execution; it just tricks the browser‑based renderer. Andi Ahmeti, a researcher at Permiso, explained that “the chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third‑party page the assistant has just summarized. It auto‑fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI.” That trust is exactly what the attackers weaponize.

Attack mechanics in plain language

First, a threat actor adds a tiny payload—usually a 1×1 pixel image hosted on their server—to any public web page. Then a user, oblivious to the hidden code, asks ChatGPT to summarize that page. When the assistant returns the summary, the response renderer automatically pulls the image, exposing the user’s IP address, User-Agent, and Referer to the attacker’s server.

Second, the same image URL can be accompanied by a crafted Markdown link. Because the renderer treats the link as live, clicking it redirects the victim to a phishing site that looks like a legitimate login portal. And because the link appears inside the ChatGPT UI, many users assume it’s safe.

Third, the attacker can embed a QR code hosted on an S3 bucket. When the summary displays the QR code, a mobile device scanning it bypasses desktop URL filters, letting the malicious payload reach the victim’s phone.

Why summarization is the new attack vector

Earlier this March, Permiso showed that Microsoft Copilot could be hijacked via a cross‑prompt injection when summarizing a malicious email. ChatGPhish pushes the same concept onto the web, meaning any employee who relies on ChatGPT for research could inadvertently summon a phishing payload.

Because the assistant’s UI is considered trusted, the shift from email to browser “significantly expands the potential attack surface,” Permiso said. A user no longer has to open a suspicious attachment; just summarizing a page could inject malicious instructions into the model’s context and render them directly.

Real‑world implications for enterprises

Enterprises that have rolled out ChatGPT for knowledge‑base queries, internal research, or customer‑facing bots now face a blind spot. If an employee copies a URL from a competitor’s site or a shady forum and asks ChatGPT to summarize it, the assistant could silently fetch the attacker’s image, leaking internal network details.

Beyond data exfiltration, the rendered phishing links could be used in social engineering campaigns. A fake “account security alert” displayed in the assistant could prompt users to click and hand over credentials, bypassing corporate email filters that would normally flag such attempts.

• IP address, User-Agent, and Referer are exposed with each malicious image fetch.
• Live Markdown links can deliver credential‑stealing pages directly inside ChatGPT.
• QR codes can be used to compromise mobile devices without triggering desktop security controls.
• Any web page summarized by ChatGPT becomes a potential phishing vector.

Because the vulnerability lives in the rendering layer, it’s not something developers can patch with a simple prompt tweak. The platform itself must reconsider auto‑fetching external resources in a trusted UI.

Response from OpenAI and the broader AI security community

OpenAI hasn’t released a detailed patch note yet, but the company’s history of quick remediation suggests they’ll adjust the renderer to either sandbox external resources or require explicit user consent before fetching them. The AI security community, meanwhile, is already debating best practices for safe markdown handling.

Researchers are urging developers to treat any external content—images or links—as untrusted until proven safe. That means adding content‑security‑policy (CSP) headers, disabling auto‑load of images in the assistant, or providing a warning banner when a summary includes external media.

What to watch for in upcoming updates

Look for changes in the ChatGPT UI that prompt users before loading images, or that render links as plain text rather than clickable elements. Also, keep an eye on OpenAI’s security advisories; they’ll likely flag this class of issue as “remote resource loading.”

Technical architecture of the markdown renderer

The renderer sits between the language model and the browser window. Once the model produces a text block, the backend wraps it in a markdown processor that turns image tags and link syntax into HTML elements. Those elements are then inserted into the page without an intermediate sandbox step. Because the processor assumes the output will be read by a human, it automatically enables image loading and link activation.

In a typical setup, the browser fetches an image URL as soon as the <img> tag appears in the DOM. No additional JavaScript is required; the network request fires immediately. The same principle applies to anchor tags: the href attribute becomes clickable the moment the element renders. This convenience layer is what the attack exploits.

Defending against the issue usually involves two layers. First, a content‑security‑policy can forbid image sources that don’t match a whitelist. Second, the renderer can be instructed to treat every external URL as inert until the user explicitly opts in. Both approaches preserve the visual fidelity of legitimate summaries while cutting off the automatic data leak path.

What This Means For You

If you’re a developer integrating ChatGPT into internal tools, you’ll need to audit how the assistant renders markdown. Turn off auto‑fetch of images wherever you can, and consider stripping markdown links before displaying them to end users. That’ll block the bulk of the attack surface while you wait for an official fix.

If you’re a security professional, add this vector to your threat model. Train employees not to feed untrusted URLs into AI assistants, and monitor network logs for outbound requests to unknown image hosts that coincide with ChatGPT usage spikes.

Here are three concrete scenarios that illustrate how the vulnerability could surface in day‑to‑day workflows:

• Developer tooling: A CI/CD dashboard includes a “quick research” button that sends a URL to ChatGPT and shows the response in an embedded widget. If the widget renders markdown without a sandbox, a malicious image on the target site will ping the attacker’s server every time a build engineer clicks the button.
• Customer‑support bot: An agent copies a user‑provided link into a ChatGPT‑powered knowledge base search. The bot’s reply contains a QR code that the agent scans with a corporate phone, inadvertently granting the attacker access to the device’s network.
• Internal knowledge portal: A product team pastes a competitor’s blog URL into a shared ChatGPT thread to extract feature ideas. The summary includes a live “download report” link that, when clicked, redirects to a credential‑stealing page that mimics the company’s SSO portal.

Each of these examples shares a common thread: an external resource is trusted simply because it appears inside a familiar interface. Mitigating the risk means breaking that trust chain before the renderer can act.

Looking ahead: Will AI assistants stay trustworthy?

The ChatGPhish discovery shows that even well‑intentioned features—like rendering helpful links—can become liabilities. As AI assistants become more embedded in daily workflows, we’ll have to ask whether the convenience of live markdown outweighs the risk of turning every web page into a phishing launchpad.

“The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third‑party page the assistant has just summarized. It auto‑fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI,” security researcher Andi Ahmeti said.

Until OpenAI tightens its rendering pipeline, organizations should treat any ChatGPT summary that includes external media as potentially hostile. The onus is on developers and security teams to enforce stricter controls now, rather than waiting for a patch.

Key questions remaining

• Will OpenAI opt for a blanket ban on external image loading, or will it introduce a permission prompt that users must acknowledge?
• How will third‑party integrators adapt their UI stacks to honor new CSP rules without breaking legitimate use cases?
• What monitoring capabilities can security teams deploy to detect the subtle network spikes that signal an image‑fetch attack?

Answers to these questions will shape the next generation of safe AI‑driven interfaces. In the meantime, a cautious approach—scrutinizing every external URL, limiting auto‑fetch behavior, and educating users—remains the most reliable defense.

Sources: The Hacker News, original report