Many people use ChatGPT to summarize articles, research topics, quickly understand complex web pages, or do research on different topics. But security researchers have now discovered a technique that could potentially turn that trusted AI assistant into a phishing surface.
Researchers at Permiso Security have disclosed a new attack method called “ChatGPhish” that exploits how ChatGPT handles content from webpages it is asked to summarize.
According to the researchers, ChatGPT’s web summarization feature can render attacker-controlled Markdown links and images from a webpage directly inside the chatbot’s response. As a result, a malicious webpage could potentially inject phishing links, fake security alerts, tracking images, or QR codes into what appears to be a trustworthy ChatGPT response.
How the ChatGPhish Attack Works
The attack begins with a specially crafted webpage controlled by an attacker.
When a user asks ChatGPT to summarize that webpage, hidden instructions and malicious content embedded within the page may influence how the response is displayed. Researchers found that ChatGPT’s response renderer automatically processes certain Markdown elements, including links and images.
This creates several potential risks. For example, attacker-controlled images may be automatically loaded when the response is generated. It allows the attacker to collect information such as the visitor’s IP address, browser details, and referral information.
More concerning is the possibility of phishing links appearing directly within ChatGPT’s response. Since the links are displayed inside the familiar ChatGPT interface, users may be more likely to trust and click them.
Researchers also demonstrated scenarios involving fake account security warnings and malicious QR codes that could redirect users to attacker-controlled websites.
Why This Matters
The bigger concern is not the vulnerability itself but what it says about the growing role of AI in our daily lives.
More people are now using ChatGPT to summarize articles, research topics, and even help them browse the web. Instead of opening multiple websites, many simply rely on the chatbot’s response. That also means users are placing a lot of trust in what the AI shows them.
If attackers can influence those responses through malicious webpages, they could use AI tools to display phishing links, fake security alerts, or malicious QR codes to unsuspecting users.
What makes this particularly interesting is that attackers are not trying to hack ChatGPT directly. Instead, they are trying to manipulate the information it processes so that the AI ends up doing part of the work for them.
ChatGPhish is not the first example of this. Researchers have already demonstrated similar attacks against AI assistants, AI coding tools, and autonomous AI agents. As AI becomes more deeply integrated into everyday workflows, such attacks are likely to attract even more attention from cybercriminals.
The discovery does not mean ChatGPT has suddenly become unsafe. However, it serves as a reminder that users should not blindly trust everything generated by AI. Whether it is a link, QR code, or security warning, it is always worth taking a closer look before clicking.
