top of page
perceptive_background_267k.jpg

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Published:

29 mei 2026 om 18:07:12

Alert date:

29 mei 2026 om 19:07:04

Source:

thehackernews.com

Click to open the original link from this advisory

Emerging Technologies, Web Technologies

Cybersecurity researchers disclosed a vulnerability in OpenAI ChatGPT called ChatGPhish that exploits the AI assistant's trust in Markdown links and images. The vulnerability enables prompt injections and phishing attacks through ChatGPT's web summary feature. The attack leverages the chatgpt.com response renderer's trust in Markdown content to manipulate user interactions. This represents a new attack vector targeting AI-powered assistants and their web integration capabilities.

Technical details

ChatGPhish vulnerability exploits ChatGPT's implicit trust in Markdown links and images from third-party pages during summarization. When ChatGPT processes a malicious web page, it auto-fetches attacker-controlled images and renders malicious Markdown links as live clickable elements in the trusted UI. Attack vectors include: IP/User-Agent/Referer leakage through image auto-fetching, fake security alerts, QR codes from attacker S3 buckets to bypass desktop filters, and cross-prompt injection (XPIA) through embedded instructions. Related attacks include SymJack (symlink exploitation in AI coding agents), TrustFall (one-click RCE via malicious MCP servers), IICL jailbreak techniques, multi-turn conversation bypasses, and typographic prompt injection using adversarial text rendered as images.

Mitigation steps:

BrowserOS patched in version 0.32.0, Apple addressed issues in iOS 26.4 and macOS 26.4, organizations should be cautious when using ChatGPT for research and summarization of untrusted web pages, implement additional validation for AI-processed content, monitor for suspicious AI behavior during summarization tasks, review AI agent configurations and MCP server permissions, validate repository trust prompts carefully before approval

Affected products:

OpenAI ChatGPT
Microsoft Copilot
Anthropic Claude Code
Claude Chrome browser extension
Microsoft Semantic Kernel
Apple Intelligence
BrowserOS version < 0.32.0
ClawHub
skills.sh
NemoClaw
NVIDIA OpenClaw AI agents

Related links:

https://permiso.io/blog/chatgpt-markdown-rendering-vulnerability
https://permiso.io/blog/copilot-prompt-injection-ai-email-phishing
https://adversa.ai/blog/the-approval-prompt-is-lying-to-you-symlink-rce-in-five-ai-coding-agents-claude-code-cursor-antigravity-copilot-grok-build/
https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/
https://arxiv.org/abs/2604.19461
https://adversa.ai/blog/iicl-attack-gpt-5-4-safety-bypass-in-context-learning/
https://blogs.cisco.com/ai/proprietary-problems
https://www.mitiga.io/blog/claude-code-mcp-token-theft-mitm
https://www.terra.security/blog/openclaw-vulnerability-research
https://docs.openclaw.ai/gateway/heartbeat
https://sublime.security/blog/prompt-injection-attacks-dont-look-like-what-youre-seeing-in-social-media-and-headlines/
https://layerxsecurity.com/blog/a-flaw-in-claudes-browser-extension-allows-any-extension-to-hijack-it/
https://blogs.cisco.com/ai/reading-between-the-pixels-assessing-prompt-injection-attack-success-in-images
https://blogs.cisco.com/ai/reading-between-the-pixels-failure-modes-in-vlms
https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
https://arxiv.org/abs/2403.03792
https://www.rsaconference.com/library/blog/is-that-a-bad-apple-in-your-pocket-we-used-prompt-injection-to-hijack-apple-intelligence
https://www.catonetworks.com/blog/webprompttrap-new-indirect-prompt-injection-vulnerability/
https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/
https://www.lasso.security/blog/sandboxed-ai-agents-attack-surface
https://unit42.paloaltonetworks.com/ai-use-in-malware/
https://unit42.paloaltonetworks.com/ai-software-security-risks/
https://unit42.paloaltonetworks.com/autonomous-ai-cloud-attacks/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page