Any Web Page Can Turn ChatGPT Into a Phisher

Key Takeaways

• ChatGPhish is an indirect prompt injection that abuses ChatGPT trust in Markdown links and images from summarized pages.
• Attackers can render fake security alerts, clickable phishing buttons and QR codes inside the ChatGPT interface.
• Tracking pixels can leak a victim IP address, user agent and timing.
• Permiso reported the issue to OpenAI in late April 2026 and published it on May 29, 2026.
• No fix had been confirmed at the time of disclosure.

Summary

A trusted assistant can be turned against its user. On May 29, 2026 researchers disclosed ChatGPhish, a browser based indirect prompt injection that abuses ChatGPT page summarization. As covered by The Hacker News, hidden content in a summarized page can render attacker links, fake alerts and QR codes inside ChatGPT, turning a convenience feature into a phishing surface that inherits the assistant credibility.

What We Know

ChatGPhish was disclosed by researchers at Permiso Security, who submitted an initial report to OpenAI through a bug bounty program on April 29, 2026 and published the full chain on May 29, 2026 after limited vendor response. According to The Register, the technique builds on cross prompt injection and exploits how the ChatGPT response renderer trusts Markdown links and image URLs that originate from a third party page the assistant just summarized. The renderer automatically fetches those images and surfaces the links as live, clickable elements inside the trusted interface. Researchers demonstrated three chains: fake OpenAI security alert buttons styled in the ChatGPT user interface, inline QR codes that move the lure from desktop to a victim phone, and tracking pixels that leak network metadata. OpenAI initially marked the first submission as not reproducible, and no fix had been confirmed at publication.

What Could Happen

This is a prompt injection problem with a rendering twist rather than a server breach. The root cause is a trust boundary failure, because content fetched from an untrusted web page is rendered with the same visual authority as messages from the assistant itself. AI specific properties make it dangerous. The model summarizes arbitrary pages on demand, so the attacker only needs the victim to summarize a link, a routine action. Because the malicious elements appear inside the official interface, the usual phishing cues such as a strange domain or off brand styling are absent. A victim could click a fake security button, scan a QR code that opens an attacker site on their phone, or simply load a tracking pixel that reveals their network fingerprint. None of this requires the user to leave ChatGPT or notice anything unusual, which is what makes contextual, trust inheriting injections so effective against human judgment.

Why It Matters

Hundreds of millions of people now treat AI assistants as a trusted layer over the web, which makes the assistant interface a high value place to stage social engineering. Credential theft, account takeover and malware delivery all become easier when the lure wears the brand of the tool the victim already trusts. For enterprises, employees using AI assistants to summarize external content could be funneled toward credential phishing that bypasses email gateways entirely. The incident also highlights a governance gap, because defenders monitor email and web for phishing, but few inspect what an AI assistant renders back to a user. Regulators focused on consumer protection and frameworks like the NIST AI Risk Management Framework increasingly expect providers to address foreseeable misuse of generative features. ChatGPhish shows that output rendering, not just model behavior, belongs in the threat model, and that indirect prompt injection remains the most stubborn unsolved problem in deployed AI.

PointGuard AI Perspective

PointGuard AI helps organizations treat assistant inputs and outputs as untrusted until proven otherwise. Our guardrails inspect the content flowing into and out of AI applications, so indirect prompt injection that smuggles instructions or active links through summarized web pages can be detected and constrained rather than rendered with full trust. Policy enforcement lets teams define what an AI assistant is allowed to surface, including limits on auto fetched images, external links and embedded media that can be abused for phishing or tracking. Continuous monitoring records the prompts, retrieved content and responses, giving security teams the visibility to spot injection patterns and respond. We have seen similar manipulation before, as in our analysis of prompt injection against medical AI chatbots, where untrusted content steered an assistant toward unsafe output. The lesson is consistent, because the trust boundary belongs at every point where external data meets the model. To learn how PointGuard AI approaches AI application security and governance, organizations can build these controls before an injection technique reaches their users. Trustworthy AI adoption depends on assuming the web is hostile and designing assistants that never lend their credibility to attacker supplied content.

Incident Scorecard Details

Total AISSI Score: 5.6 / 10

Criticality = 6, targets a global customer facing assistant and the trust users place in it, AISSI weighting: 25%

Propagation = 6, any summarized page can carry the payload, though each attack is user triggered, AISSI weighting: 20%

Exploitability = 5, a working technique was publicly demonstrated with no confirmed mass abuse, AISSI weighting: 15%

Supply Chain = 6, the risk rides on a hosted third party model and its rendering pipeline, AISSI weighting: 15%

Business Impact = 5, credible phishing and tracking potential, with no confirmed financial or regulatory harm yet, AISSI weighting: 25%

Sources

• The Hacker News, ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
• The Register, ChatGPT prompt injection turns web pages into phishing lures
• PointGuard AI, Prescription for Trouble: Medical AI Chatbots Manipulated
• PointGuard AI