Home · Live brief · Daily brief 2026-05-30
ChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via legitimate chatgpt.com
Entities: ChatGPhish
Part of run 2026-05-30-aca445cc (intel · Claude Sonnet 4.6)
Permiso Security's P0 Labs (researcher Andi Ahmeti) disclosed on 29 May 2026 that ChatGPT's web summarisation feature unconditionally trusts and renders Markdown image URLs and links extracted from third-party pages, executing them inside the trusted chatgpt.com UI (Permiso Security P0 Labs, 2026-05-29; The Hacker News, 2026-05-29). An attacker embedding a small Markdown payload on any web page (GitHub README, SaaS dashboard, documentation portal) triggers the attack when a victim asks ChatGPT to summarise the page: the payload executes silently and can exfiltrate the victim's IP, User-Agent, and Referer via attacker-hosted image fetch; render malicious links styled as ChatGPT output; inject fake security alerts; and serve QR codes from attacker-controlled S3 buckets that bypass desktop URL filters by moving the click action to mobile. Permiso submitted to OpenAI via Bugcrowd on 29 April; after follow-up on 7 May, OpenAI marked it as not reproducible then as not applicable, without resolution. No CVE assigned. Defenders using ChatGPT for document summarisation in enterprise workflows should: restrict ChatGPT access to internal documentation portals; educate users that any AI-summarised third-party page can carry attacker instructions embedded in rendered output.