CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

A browser-based prompt injection technique that transforms any web page into a phishing delivery surface by exploiting ChatGPT’s page summarization feature, rendering attacker-controlled links, fake security alerts, and QR codes directly inside the trusted ChatGPT interface. Researchers at Permiso have disclosed the attack dubbed ChatGPhish, which builds on the same trust-transfer logic previously demonstrated against […] The post New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phis

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads By Guru Baran May 29, 2026 A browser-based prompt injection technique that transforms any web page into a phishing delivery surface by exploiting ChatGPT’s page summarization feature, rendering attacker-controlled links, fake security alerts, and QR codes directly inside the trusted ChatGPT interface. Researchers at Permiso have disclosed the attack dubbed ChatGPhish, which builds on the same trust-transfer logic previously demonstrated against Microsoft Copilot, where attacker-crafted email content could manipulate AI-generated summaries through Cross Prompt Injection Attacks (XPIA). ChatGPhish escalates that premise by swapping the bounded email primitive for the browser where users spend the majority of their working day. Any page a user visits and asks ChatGPT to summarize a GitHub README, documentation portal, blog post, or SaaS dashboard can silently carry malicious instructions into the model’s response. ChatGPT Vulnerability – ChatGPhish Attack By appending a small instruction payload to any publicly accessible web page, an unauthenticated attacker can influence how ChatGPT structures and renders its summarization output. Because chatgpt.com‘s response renderer trusts Markdown links and image URLs originating from third-party summarized content, three distinct attack primitives become available: UI redress / phishing: Attacker-controlled Markdown links render as live, clickable elements inside the ChatGPT interface with no origin labeling — users cannot distinguish attacker-injected URLs from ChatGPT-generated ones Spoofed system alerts: The renderer displays attacker text styled as legitimate “account security” notifications, inheriting the visual trust of the assistant’s own UI QR-code pivot: Auto-rendered QR code images fetched from attacker-controlled S3 buckets bypass all desktop URL defenses — hover previews, browser blocklists, and password manager domain checks because the destination only becomes visible after scanning on a second device. Passive tracking beacon: Markdown images embedded via URL shorteners (e.g., shorturl.at) are auto-fetched on every render, leaking the victim’s IP address, User-Agent, Referer header, and high-resolution timing to attacker-controlled infrastructure What makes ChatGPhish particularly dangerous is not just the injection itself, but where the output lands. As OWASP LLM01:2025 identifies, the core risk with prompt injection is that LLMs cannot reliably distinguish between legitimate instructions and attacker-supplied content embedded in retrieved data. Once that attacker content is processed, it surfaces inside the ChatGPT response window, styled identically to genuine assistant output, complete with formatted alerts, clickable links, and inline images. The browser’s same-origin policy offers no protection because the AI assistant executes with the user’s authenticated context, making traditional web security boundaries irrelevant. Permiso submitted the initial vulnerability report to OpenAI via Bugcrowd on April 29, 2026, citing “Untrusted Markdown Rendering Leads to XSS, Phishing, and Data Exfiltration.” OpenAI responded noting the report could not be reproduced. A revised submission on May 1, 2026, with expanded proof-of-concept steps, was subsequently classified as a duplicate of a previously reported issue. After follow-up communication on May 7, 2026, clarifying the broader phishing, QR-code, and passive tracking implications, the research was publicly published on May 29, 2026. Until clear source separation is enforced between retrieved web content and rendered assistant output, security teams should apply the following mitigations: Avoid using AI browser summarization features on pages containing user-generated or untrusted content (Reddit, public GitHub READMEs, blogs) Restrict AI browser permissions to the minimum necessary; require human approval before any link interaction within summarized responses Treat any clickable link, image, or alert appearing inside an AI summary as potentially attacker-controlled until origin attribution is clearly displayed Deploy semantic input/output filtering and anomaly detection on AI-integrated surfaces within enterprise environments Monitor AI browser activity logs for unexpected outbound image fetch requests to unknown or URL-shortened endpoints The ChatGPhish research underscores a structural challenge facing all browser-integrated AI summarization systems: as long as attacker-controlled web content can influence rendered assistant output without explicit origin labeling, the browser itself remains a practical, low-barrier delivery surface for phishing, device pivoting, and passive reconnaissance. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware WhatsApp Chat Histories Stored Unencrypted on macOS and iOS New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection GitHub Adds Staged Publishing to npm to Block Automated Supply Chain Attacks New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely Latest News Cyber Security News Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware Cyber Security News Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware Cyber Security News Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens Cyber Security News Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products Cyber Security News MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗