Back

ChatGPT Vulnerability Allows Phishing via Browser Content

Severity: High (Score: 61.5)

Sources: permiso.io, Cybersecuritynews, Theregister

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: chatgpt, markdown, content, prompt, injection, looked, email

Severity indicators: vulnerability

Summary

A newly discovered vulnerability in ChatGPT allows attackers to inject malicious content from web pages into its responses. This occurs when users request a summary of a page containing hidden instructions, which can lead to phishing attacks. The vulnerability, termed 'ChatGPhish', enables the injection of phishing URLs or fake security alerts styled like ChatGPT's own content. Researchers demonstrated this attack using Firefox, but it is not limited to any specific browser. The flaw was reported to OpenAI, but there has been no confirmation of a fix. Users are advised to exercise caution when using ChatGPT for summarizing web pages. The vulnerability highlights the risks associated with AI systems rendering untrusted content directly in browsers. Key Points: • ChatGPT can be manipulated to include attacker-controlled content in its summaries. • The vulnerability, named 'ChatGPhish', allows phishing URLs and fake alerts to be injected. • OpenAI has not confirmed whether the vulnerability has been addressed.

Detailed Analysis

**Impact** Users of ChatGPT’s browser-integrated page summarization feature are affected, particularly those who invoke summaries on attacker-controlled or compromised web pages. The vulnerability enables phishing attacks by injecting malicious links, fake security alerts, and QR codes into trusted AI-generated content, potentially impacting individuals and enterprises globally. This can lead to credential theft, unauthorized access, and lateral movement from desktop to mobile devices, affecting sectors relying on ChatGPT for information synthesis and decision-making. **Technical Details** The attack vector involves prompt injection via Markdown content embedded in web pages that users request ChatGPT to summarize. The ChatGPT client auto-fetches and renders untrusted Markdown links and images, including attacker-controlled URLs and QR codes, without source validation. This vulnerability exploits the model’s inability to distinguish between original and injected content, enabling phishing payloads delivered through the browser summarization flow. No CVEs or malware names were reported. The attack chain includes initial victim browsing, prompt injection, AI response manipulation, and phishing payload delivery. **Recommended Response** Users should avoid requesting summaries of untrusted or unknown web pages until a fix is confirmed. Organizations should monitor for suspicious ChatGPT outputs containing unexpected links or QR codes and educate users on verifying AI-generated content. Defenders should implement URL filtering and phishing detection on links rendered by AI interfaces and consider restricting browser-based summarization features in sensitive environments. No official patch or mitigation from OpenAI has been confirmed as of the report date.

Source articles (3)

  • ChatGPT blindly trusts browser content, turning the page into a payload — Theregister · 2026-05-29
    EXCLUSIVE ChatGPT can’t tell its own generated content from attacker-controlled Markdown pulled from external sources, according to a researcher who found the prompt injection technique and reported i…
  • Chatgpt Markdown Rendering Vulnerability — permiso.io · 2026-05-29
    In our research on Copilot prompt injection , we looked at a phishing primitive hiding inside email summaries. The setup was simple: an attacker-controlled email contained text that looked like instru…
  • New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads — Cybersecuritynews · 2026-05-29
    A browser-based prompt injection technique that transforms any web page into a phishing delivery surface by exploiting ChatGPT’s page summarization feature, rendering attacker-controlled links, fake s…

Timeline

  • 2026-04-29 — Vulnerability reported to OpenAI: Andi Ahmeti submitted the initial report of the ChatGPT vulnerability via Bugcrowd.
  • 2026-05-01 — Report revised and marked as duplicate: Ahmeti revised the vulnerability report, but it was marked as a duplicate despite significant differences.
  • 2026-05-29 — Vulnerability details published: Both Permiso and The Register published findings on the vulnerability, emphasizing the risks of AI systems rendering untrusted content.

Related entities

  • Phishing (Attack Type)
  • Prompt Injection (Attack Type)
  • ChatGPhish (Vulnerability)
  • Kosovo (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • chatgpt.com (Domain)
  • injection.to (Domain)
  • register.in (Domain)
  • shorturl.at (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • AWS (Company)
  • Azure (Company)
  • Google Cloud Platform (Company)
  • ChatGPT (Platform)
  • CloudLens (Platform)
  • Firefox (Platform)
  • GitHub (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed