A newly discovered vulnerability in ChatGPT’s page summarization feature enables attackers to transform any web page into a phishing medium. This technique, called ChatGPhish, leverages unauthorized links, deceptive security alerts, and QR codes within the trusted ChatGPT interface, posing significant risks to users.
Understanding the ChatGPhish Attack
Researchers have identified ChatGPhish as an advanced attack that extends beyond previous vulnerabilities like those seen with Microsoft Copilot. By exploiting Cross Prompt Injection Attacks (XPIA), attackers can manipulate AI-generated summaries. Now, with ChatGPhish, this threat has moved from email environments to browsers, impacting users during their daily internet activities.
When a user requests a summary of any web content, such as a GitHub README or a blog post, ChatGPhish can silently embed malicious instructions into the AI’s response. This seamless integration of harmful content into trusted interfaces underscores the attack’s potential impact.
The Mechanics Behind ChatGPhish
The attack works by appending a small payload to a publicly accessible web page, influencing how ChatGPT processes and displays summaries. Since ChatGPT’s response renderer accepts Markdown links and images from external content, attackers can deploy several tactics:
- Phishing Through UI Redress: Malicious links appear as legitimate elements within ChatGPT, making it hard for users to distinguish between genuine and attacker-injected URLs.
- Spoofed Alerts: Attackers can create fake notifications styled as credible security messages, leveraging the visual trust of the interface.
- QR Code Exploitation: Attacker-controlled QR codes bypass desktop security measures, posing threats when scanned on secondary devices.
- Passive Tracking: Embedded images via URL shorteners leak user data to attackers through automatic fetch requests.
Mitigation Strategies and Future Outlook
The core danger of ChatGPhish lies in its ability to insert attacker content indistinguishably within ChatGPT’s output. As identified by OWASP’s LLM01:2025, this risk arises from Large Language Models’ (LLMs) difficulty in differentiating between legitimate and malicious instructions.
To mitigate this threat, security teams are advised to avoid using AI summarization features on untrusted content and to restrict browser permissions. Additionally, treating all interactive elements in AI summaries as potentially harmful until verified and deploying anomaly detection systems can help safeguard against such attacks.
While OpenAI has acknowledged the report but found initial reproduction challenging, further evidence led to a public disclosure of the vulnerability. Until robust source separation and labeling are enforced, browser-integrated AI systems remain vulnerable to phishing and data exfiltration threats.
This research highlights a critical challenge for AI-driven summarization systems: without clear origin labeling of web content, browsers will continue to serve as a low-barrier attack surface.
