You need to enable JavaScript in order to use the AI chatbot tool powered by ChatBot
Newsroom >
SaaS Security

ChatGPhish: How ChatGPT Web Summaries Became a Phishing Surface

Biprojit Chakraborty
This is some text inside of a div block.
Content Writer
June 15, 2026
Topics
SaaS Security
Share

On May 29, 2026, security researcher Andi Ahmeti at Permiso Security published details of a vulnerability class named ChatGPhish, a prompt injection technique that turns ChatGPT's web summarization feature into a phishing delivery channel.

The Register independently reproduced the behavior the same day, confirming it worked on unpatched ChatGPT at the time of disclosure.

How it works

When a user asks ChatGPT to summarize a webpage, the chatgpt.com renderer trusts Markdown links and image URLs from that page and surfaces them as live, clickable elements inside the ChatGPT interface. 

An attacker who controls any publicly accessible webpage can embed a small payload that, when summarized by ChatGPT, renders as:

  • Spoofed OpenAI security alerts with phishing links
  • Inline QR codes that redirect attacks to a mobile device
  • Passive tracking pixels that leak the victim's IP address and device metadata on every render
  • Attacker-controlled hyperlinks visually indistinguishable from model-generated output

"The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third-party page the assistant has just summarized,"

Ahmeti said in a report shared with The Hacker News. 

No prior access to the victim's account is needed. No browser vulnerability is required. The only prerequisites are a webpage the attacker can publish and a user who asks ChatGPT to summarize it.

Why this is harder to train against than email phishing

Traditional phishing defense is built around email. Security training teaches employees to hover over links before clicking, treat unexpected requests with suspicion, and verify sender domains. ChatGPhish bypasses all of that.

The phishing content appears inside ChatGPT's own interface, not in an email from an unknown sender. To the user, it looks like the AI generated it. 

The Cloud Security Alliance's analysis of ChatGPhish noted that the passive tracking capability is especially relevant for intelligence-gathering.

The QR code vector adds another layer. Security training teaches "hover the link", not "do not scan a QR code ChatGPT drew for you."

Security Gaps Hide In Plain Sight

Until someone finds them first.
Stop Them

Get Our CloudEagle Newsletter

Let the headlines come straight to you with Access Granted — a monthly edition of Okta announcements, expert perspectives, analysis, and more.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.