ChatGPhish: Any Web Page Can Weaponize ChatGPT Summaries

Permiso Security published ChatGPhish on May 29, 2026: a technique where any web page a user asks ChatGPT to summarize can inject phishing links, spoofed account-security alerts, and QR codes that render inside the trusted chatgpt.com interface with no origin labeling. The root issue is that the response renderer trusts Markdown links and image URLs from third-party summarized content and auto-fetches remote images.

If your team uses ChatGPT to summarize docs, READMEs, or competitor pages, this is a live social-engineering surface, not a theoretical prompt-injection paper.

What is ChatGPhish?

ChatGPhish is Permiso's name for a browser-scale Cross Prompt Injection Attack (XPIA). The attacker does not need to email the victim. They only need the victim to browse to a page (or any page the victim might later summarize) that embeds hidden or visible instructions telling ChatGPT how to format the reply.

Permiso researcher Andi Ahmeti showed that once page text enters the model context, the assistant can append attacker blocks that look like official OpenAI security notices, complete with clickable Markdown links users cannot distinguish from ChatGPT-native output.

Initial disclosure to OpenAI via Bugcrowd was filed April 29, 2026 under "Untrusted Markdown Rendering Leads to XSS, Phishing, and Data Exfiltration." A revised proof of concept went in May 1, 2026; Permiso clarified QR and passive-tracking implications on May 7, 2026. Public release landed May 29, 2026 after reporting indicated no shipped fix in the disclosure window.

How the attack works step by step

1. Attacker plants instructions on a normal-looking page (blog, README, SaaS dashboard, doc portal).
2. Victim uses Firefox (in Permiso tests) and ChatGPT's page summarization flow on that URL.
3. Model produces a legitimate summary, then follows attacker formatting rules appended in the page text.
4. chatgpt.com renders attacker Markdown: live links, remote images, QR codes fetched from attacker S3 buckets.
5. User trusts the UI and clicks or scans, bypassing hover URL habits because the chrome looks like ChatGPT.

Permiso's key sentence: "If the user can ask ChatGPT to summarize the page, the page can become the payload."

Three attack primitives developers should catalog

The QR angle is especially nasty for enterprises: security training teaches "hover the link," not "do not scan a QR code ChatGPT drew for you."

Relation to Copilot XPIA and TrapDoor week

Permiso previously demonstrated similar trust transfer against Microsoft Copilot when attacker-controlled email content influenced summaries. ChatGPhish expands the surface from inbox to the entire web.

In the same week, TrapDoor poisoned .cursorrules and CLAUDE.md and TanStack's Mini Shai-Hulud hit npm. The pattern: AI products trust external content (pages, config files, dependencies) at least as much as traditional apps trust HTML email.

What OpenAI and enterprises have said publicly

Reporting noted OpenAI's Bugcrowd responses varied: an early submission was closed as duplicate of a prior issue; follow-up emphasized broader phishing impact. The Register independently reproduced behavior on May 29, 2026, confirming the issue works on unpatched ChatGPT at disclosure time.

Treat status as verify on your tenant today, not "patched because headline exists."

Developer and security team playbook

Policy: Restrict ChatGPT browse/summarize URL features for roles with access to production credentials, unless URLs pass an allowlist or sanitization proxy.

Product teams building summarization: Never mirror ChatGPT's pattern of rendering third-party Markdown as trusted UI. Strip links, rewrite through a link proxy, or show explicit "content from example.com" banners.

Red-team: Add ChatGPhish-style pages to internal phishing exercises; measure click rates inside AI assistants separately from email phishing.

Detection: Log when employees paste external URLs into corporate AI tools; correlate with newly registered domains in those sessions.

User training: One line works: "ChatGPT can repeat attacker text from a webpage as if it were ChatGPT."

Key Takeaways

• ChatGPhish (Permiso, May 29, 2026): summarized web pages can inject phishing links, fake alerts, and QR codes into trusted ChatGPT UI
• Root cause: renderer trusts third-party Markdown links/images and auto-fetches remote assets
• Disclosure timeline: Bugcrowd Apr 29 → follow-up May 7 → public May 29
• No user click on email required — only normal "summarize this page" workflow
• For developers: audit internal LLM summarization UIs; restrict corporate ChatGPT URL features; train on AI UI trust
• What to watch: OpenAI patch notes, enterprise DLP integrations for AI browsers, copycat attacks on Gemini/Claude summarize features

Frequently asked questions

What is ChatGPhish?

ChatGPhish is a May 2026 attack technique disclosed by Permiso where attacker-controlled content on a web page is included when a user asks ChatGPT to summarize that page, causing phishing links and fake security messages to render inside the trusted ChatGPT interface.

Does ChatGPhish require the user to visit a malicious site deliberately?

The user must invoke summarization on a page that contains attacker instructions. That can be any page they browse during normal work, including compromised docs, READMEs, or third-party dashboards.

Did OpenAI patch ChatGPhish before disclosure?

Reporting at public disclosure indicated Permiso had reported via Bugcrowd weeks earlier and that independent journalists reproduced the issue on May 29, 2026. Verify patch status in your environment rather than assuming remediation.

How is ChatGPhish different from email phishing?

It moves the injection surface from email to any URL employees might summarize with ChatGPT, expanding reach to documentation and SaaS pages attackers do not need to deliver directly to inboxes.

What should engineering teams do now?

Restrict URL summarization in corporate AI tools where possible, never render unsanitized third-party Markdown as trusted UI in your own products, and add ChatGPhish awareness to security training alongside supply-chain alerts like TrapDoor and TanStack compromises.