ChatGPhish Attack Turns Web Pages Into Phishing Payloads Inside ChatGPT Summaries

Security researchers have disclosed a prompt injection technique called ChatGPhish that can turn ordinary web pages into phishing content inside ChatGPT summaries. The issue, detailed by Permiso Security, shows how attacker-controlled text on a web page can influence the summary ChatGPT displays to a user.

The attack works when a user asks ChatGPT to summarize a web page that contains hidden or visible malicious instructions. Those instructions can cause the response to show phishing links, fake account alerts, remote images, or QR codes inside the trusted ChatGPT interface.

The risk comes from trust transfer. A user may treat content shown inside ChatGPT as safer than the original web page, especially when the answer looks like a normal assistant response. OpenAI has already described prompt injection as a growing security challenge for AI systems that browse the web, use connected apps, or act on behalf of users in its prompt injection guidance.

What ChatGPhish Does

ChatGPhish abuses the gap between untrusted web content and trusted AI output. A malicious page can include instructions that tell the AI assistant how to format its answer. If those instructions affect the summary, the final response can carry attacker-controlled links or images.

Permiso said the attack can work against web pages such as GitHub READMEs, documentation pages, blogs, product pages, and other browser content. The researcher used Firefox during testing, but the company stressed that the issue does not sit in Firefox itself. The browser only passes page content into the summarization flow.

The problem matches the broader class of indirect prompt injection risks described by OWASP LLM01:2025. In these cases, the model receives instructions from an external source, such as a web page or file, and may treat them as part of the task instead of untrusted data.

How the Attack Can Reach Users

The attacker does not need to compromise ChatGPT or the user’s account. They only need to place malicious instructions on a web page that the victim later asks ChatGPT to summarize. That page can still look normal to the user.

Once ChatGPT processes the page, the attacker’s instructions can shape part of the answer. The output may include a fake security warning, a clickable phishing link, or a QR code that sends the user to a malicious page on a second device.

Attack Method	What the User Sees	Why It Matters
Phishing link	A live link inside the ChatGPT answer	The user may trust it because it appears in the assistant UI
Fake alert	A security-style message in the summary	The attacker can imitate urgent account warnings
QR code	An inline image the user can scan	The attack can move from desktop to mobile
Tracking image	A remote image loaded inside the answer	The attacker can collect request telemetry

Why QR Codes and Images Make This Harder to Spot

Links inside a browser can trigger hover previews, password manager warnings, blocklists, and other desktop defenses. A QR code changes that flow. The user scans it on a phone, where the original desktop context no longer protects the click.

Remote images create another risk. Permiso said image rendering can cause a request to attacker-controlled infrastructure, which may reveal details such as IP address, User-Agent, Referer where available, and timing data. The ChatGPhish research also showed that the same idea could work on a normal self-hosted page, not only on GitHub content.

This makes the issue more than a bad summary. It turns the assistant response into a delivery surface for phishing and passive tracking, especially when users do not see a clear distinction between retrieved page content and ChatGPT’s own wording.

OpenAI Has Already Warned About Prompt Injection Risk

OpenAI has repeatedly said that prompt injection remains a hard problem for AI products connected to the web and external apps. In its prompt injection explainer, the company compares the risk to social engineering aimed at AI systems rather than directly at humans.

In February 2026, OpenAI introduced Lockdown Mode and Elevated Risk labels for certain ChatGPT capabilities. The company said some network-related features can create risks that the wider industry has not fully solved yet.

OpenAI also said Lockdown Mode can restrict how ChatGPT interacts with external systems in high-risk environments. That does not directly confirm a fix for ChatGPhish, but it shows that OpenAI treats prompt injection and data exfiltration as product-level security concerns.

Why This Is Not a Normal Browser Bug

Traditional browser security relies on origin boundaries. A web page cannot simply read data from another site because the browser enforces those rules. ChatGPhish works differently because it targets the AI summarization layer and the way the final answer appears to the user.

The attacker’s content does not need to break the browser sandbox. It only needs to influence the AI-generated output. Once the assistant renders a malicious link or image as part of a polished response, the user may interact with it as if ChatGPT recommended it.

This is why origin labels matter. If the interface does not clearly separate third-party page content from assistant-generated guidance, users can struggle to tell which parts of the response came from the page and which parts came from ChatGPT.

What Security Teams Should Do

Security teams should treat AI web summaries as untrusted when the source page contains user-generated content, public documentation, third-party READMEs, forums, blogs, or unknown embedded images. Users should not click links or scan QR codes from summaries without checking the real destination first.

Developers building AI summarization tools should also follow the risk model described by OWASP LLM01. Retrieved web content should enter the system as untrusted data, not as instructions with the same authority as the user’s request or the application’s rules.

• Avoid summarizing untrusted pages that contain user-generated content when handling sensitive work.
• Do not scan QR codes shown inside AI-generated summaries unless the destination can be verified first.
• Check the real URL behind any link that appears in an AI response.
• Limit browser and connector permissions for AI tools used in enterprise environments.
• Monitor for unexpected outbound image fetches or shortener-based tracking from AI-integrated workflows.
• Use separate labeling for source content, model summaries, and security guidance inside AI interfaces.

Enterprise Controls Can Reduce the Blast Radius

Organizations that allow AI tools to access browser content should review which users need summarization, connectors, and agentic features. High-risk roles, such as executives, finance teams, incident responders, and administrators, need stricter controls because a successful prompt injection can lead to more sensitive outcomes.

OpenAI’s Lockdown Mode announcement points to one mitigation path for enterprise customers: reduce external interactions, add clearer risk labels, and give admins more control over which capabilities users can access.

The larger lesson reaches beyond ChatGPT. Any AI tool that ingests untrusted web content and renders rich output can face a similar problem. Phishing no longer has to arrive through email. It can sit on a normal page and wait for an assistant to summarize it.

FAQ