ChatGPhish: How Attackers Weaponize ChatGPT’s Web Summaries for Phishing

Because ChatGPT does not sufficiently sanitize Markdown content from web pages before rendering it, any third-party page the model browses becomes a potential phishing vector. This is not a server-side exploit of OpenAI’s infrastructure — it is a client-side rendering weakness that abuses the browser-based trust users place in ChatGPT’s visual output.

The Lineage: Prompt Injection Flaws Leading to ChatGPhish

ChatGPhish did not appear in a vacuum. It is the latest chapter in a multi-year escalation of prompt injection techniques that have followed each new capability OpenAI adds to ChatGPT. When the model gained web browsing, code execution, plugin support, and memory, attackers found fresh surfaces to inject instructions and exfiltrate data.

Here are the key waypoints on the path to ChatGPhish:

• November 2022 — Birth of prompt injection: Prompt injection was named and demonstrated against GPT-3 just 13 days before ChatGPT launched on November 30, 2022. Within hours of launch, users bypassed the assistant’s safety layer through persona framing and roleplay .
• 2023–2024 — Indirect prompt injection and Markdown-based data exfiltration: Researchers discovered that ChatGPT’s Markdown image rendering could be abused to leak conversation data. Attackers uploaded malicious prompts to public websites; when ChatGPT interacted with them, it responded with Markdown image tags that automatically fetched external URLs containing exfiltrated data .
• May 2024 — Personal data exfiltration via memory: A research paper showed that ChatGPT 4 and 4o were susceptible to prompt injection attacks that could retrieve users’ personal data, with the assistant’s memory feature amplifying the exposure .
• March 2025 — CVE-2025-43714 (SVG/HTML injection): ChatGPT was found to render SVG documents inline in web browsers instead of displaying them as plaintext in code blocks. This enabled attackers to inject arbitrary HTML that could be leveraged for phishing attacks directly inside the ChatGPT interface .
• February–March 2026 — DNS-based data exfiltration and Markdown image injection: Check Point disclosed a vulnerability in ChatGPT’s code execution environment that permitted DNS tunneling to siphon conversation data. OpenAI patched it on February 20, 2026. A separate vector emerged that same month using malicious Markdown image links to exfiltrate chat logs, system prompts, and user inputs via DNS queries .
• May 2026 — ChatGPhish: This vulnerability synthesizes multiple threads: indirect prompt injection, untrusted Markdown rendering, and the page summarization feature. The key shift is that ChatGPhish is weaponized for active phishing — presenting live phishing content inside the trusted ChatGPT UI — rather than purely for covert data exfiltration .

Each step in this timeline shows the same pattern: a new ChatGPT capability opens a fresh injection surface, and the Markdown renderer repeatedly proves to be the weak link because it implicitly trusts content from external pages.

OpenAI’s Response as of Late May 2026

As of May 29–30, 2026, the available reporting documents Permiso Security’s public disclosure of ChatGPhish on May 29, but no public statement or patch from OpenAI specific to this vulnerability had been reported .

OpenAI was not idle on security during this window. The company managed two separate incidents in May 2026 that were unrelated to ChatGPhish:

• May 13, 2026 — OpenAI published its response to the TanStack npm supply chain attack (known as “Mini Shai-Hulud”), confirming that two employee devices were compromised but that no user data was accessed .
• May 14, 2026 — The company forced updates to its macOS ChatGPT app as part of the same supply-chain incident containment .

The gap between ChatGPhish’s disclosure and any acknowledgment from OpenAI is significant. It leaves ChatGPT’s web summarization surface exposed in the interim, with the public now aware of a phishing path that requires only a user asking ChatGPT to summarize a carefully prepared web page.

Broader Context and Implications

ChatGPhish matters because it attacks the interface trust that makes AI assistants useful. When ChatGPT browses the web, summarizes a page, and presents links inside its own UI, users have no visual signal that those links originated from an untrusted third party rather than from OpenAI itself.

Organizations that allow employees to use ChatGPT’s browsing features should treat web summaries as an untrusted content source until OpenAI issues a fix. The vulnerability also highlights a recurring architectural tension: AI assistants that blend first-party UI with third-party data need renderers that treat all external content as potentially hostile, not just as display text.