ChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via legitimate chatgpt.com
From CTI Daily Brief — 2026-05-30 · published 2026-05-30 · view item permalink →
Permiso Security's P0 Labs (researcher Andi Ahmeti) disclosed on 29 May 2026 that ChatGPT's web summarisation feature unconditionally trusts and renders Markdown image URLs and links extracted from third-party pages, executing them inside the trusted chatgpt.com UI (Permiso Security P0 Labs, 2026-05-29; The Hacker News, 2026-05-29). An attacker embedding a small Markdown payload on any web page (GitHub README, SaaS dashboard, documentation portal) triggers the attack when a victim asks ChatGPT to summarise the page: the payload executes silently and can exfiltrate the victim's IP, User-Agent, and Referer via attacker-hosted image fetch; render malicious links styled as ChatGPT output; inject fake security alerts; and serve QR codes from attacker-controlled S3 buckets that bypass desktop URL filters by moving the click action to mobile. Permiso submitted to OpenAI via Bugcrowd on 29 April; after follow-up on 7 May, OpenAI marked it as not reproducible then as not applicable, without resolution. No CVE assigned. Defenders using ChatGPT for document summarisation in enterprise workflows should: restrict ChatGPT access to internal documentation portals; educate users that any AI-summarised third-party page can carry attacker instructions embedded in rendered output.