ChatGPhish — ChatGPT Markdown Renderer Turns Any Summarized Webpage Into a Live Phishing Surface; No Patch After 30 Days

Permiso Security's P0 Labs disclosed ChatGPhish on 2026-05-29: ChatGPT's web-summarization feature blindly trusts Markdown links and image URLs originating from third-party pages the assistant has summarized, rendering them as live, clickable elements inside the trusted ChatGPT interface with no origin labeling. Any attacker who controls a webpage can embed attacker-controlled Markdown into that page; when a victim asks ChatGPT to summarize the page, the assistant's response renders phishing links (indistinguishable from AI-generated content), remote image beacons (passive telemetry/tracking), spoofed system-style alerts, and QR-code pivots that redirect victims to a second device bypassing desktop URL defenses. Permiso reported to OpenAI via Bugcrowd on April 29, followed up May 7, and received no fix before the 30-day public disclosure.

Attacker publishes or modifies any webpage with a small embedded Markdown payload containing attacker-controlled URLs and image tags. Victim asks ChatGPT ('summarize this URL'). ChatGPT's renderer trusts and renders the attacker's Markdown as part of its own response — no user interaction beyond a standard summarization prompt is required. The attack bypasses email gateways, DMARC controls, and phishing filters because delivery occurs inside a legitimate HTTPS session to chatgpt.com.

ChatGPT web interface (chatgpt.com) with web-browsing/summarization enabled; any enterprise or developer workflow using ChatGPT to summarize external URLs. The vulnerability class (renderer trust of third-party Markdown) may apply to other AI summarization tools including Perplexity, Microsoft Copilot, and Google Gemini — independent research disclosure pressure expected within 30–60 days.

No patch available as of 2026-05-30. Immediate compensating controls: (1) Route all AI-generated summaries through a secure web proxy that intercepts and inspects rendered URLs before they reach analyst workstations. (2) Configure browser isolation for chatgpt.com sessions where analysts routinely summarize external URLs. (3) Treat links appearing in AI summaries of third-party content as untrusted until ChatGPT issues a fix confirming origin labeling and Markdown sanitization for third-party content. (4) Alert SOC teams that threat-intelligence workflows using ChatGPT to triage external URLs are now a potential phishing vector.