Permiso — ChatGPhish Turns ChatGPT Summaries Into a Phishing Surface

AI relevance: Browser-based summarization tools implicitly trust page content, so any webpage an employee asks an AI to summarize becomes an unauthenticated prompt-injection and phishing delivery vector — expanding the attack surface beyond email and into the open web.

• Permiso Security researchers disclosed "ChatGPhish," a technique that exploits how ChatGPT's response renderer trusts Markdown links and image URLs originating from third-party pages it summarizes.
• Attacker-hosted images embedded in a summarized page are auto-fetched by ChatGPT, leaking the victim's IP, User-Agent, Referer, and precise timing — turning any summary into a passive tracking beacon.
• Malicious Markdown links from the source page render as live, clickable elements inside ChatGPT's trusted UI with no origin labelling, making it impossible for users to distinguish AI-generated links from attacker-planted ones.
• The renderer will lay out attacker-crafted text as fake system-style security alerts, wearing ChatGPT's own formatting and visual tone to boost credibility.
• Auto-rendered QR codes from attacker-controlled S3 buckets create a mobile-pivot path: victims scan the QR on their phone, bypassing desktop URL filters, hover previews, and enterprise blocklists entirely.
• The delivery surface is the open browser — GitHub READMEs, documentation pages, public blog posts, dashboards, and marketing sites all become viable phishing lures if an employee asks ChatGPT to summarize them.
• This is a trust-transfer problem: untrusted web content is polished into authoritative AI output, and users implicitly trust the assistant's rendering surface far more than raw browser content.
• Permiso previously demonstrated the same primitive via Microsoft Copilot email summarization, showing that model-mediated phishing is migrating from bounded primitives (email) to unbounded ones (the browser).

Why it matters

Summarization is becoming a default workflow across AI assistants. Unlike email, which sits behind spam filters, gateways, and user training, the browser has no equivalent defense chain. Any employee who routinely summarizes documentation, research, or dashboards via ChatGPT is unknowingly expanding their organization's phishing surface to the entire open web.

What to do

• Train employees that AI summary outputs can contain attacker-injected links and images — treat them like any untrusted external content.
• Advise against summarizing pages from untrusted or unfamiliar domains through AI assistants.
• AI vendors should implement clear source separation: label external links and images in rendered responses with their origin domain, and block auto-fetching of third-party images without user consent.

Sources

• Permiso Security — ChatGPhish: The Page Is the Payload
• The Hacker News — ChatGPhish Vulnerability
• The Register — ChatGPT prompt injection turns web pages into phishing lures