thehackernews.com web signal

Permiso Security exposes ChatGPT as live phishing surface

openai cybersecurity ai-security prompt-injection phishing

Key insights

  • ChatGPT's web renderer trusts third-party Markdown links and images without sanitization, enabling embedded phishing content in AI-generated summaries.
  • Permiso reported the flaw to OpenAI via Bugcrowd 30 days before public disclosure; no patch was shipped during that window.
  • The Register independently confirmed the vulnerability on May 29, establishing the attack works reliably against unpatched ChatGPT.

Why this matters

Any enterprise or developer workflow using ChatGPT to summarize external URLs is now a potential phishing vector with no patch available and no user interaction required beyond a standard prompt. The 30-day disclosure window without a fix signals that AI providers may not classify prompt-injection-via-renderer as urgently as traditional CVEs, creating a dangerous lag between discovery and remediation. Developers building LLM-powered summarization pipelines need to audit whether their own renderers inherit the same blind trust in third-party Markdown content, since the vulnerability class is architectural, not instance-specific.

Summary

ChatGPT's web-summarization feature can be turned into a phishing delivery mechanism by any attacker who controls a page the model is asked to summarize. Permiso Security disclosed ChatGPhish on May 29: the renderer blindly trusts Markdown image URLs and hyperlinks from third-party pages, letting attackers embed phishing links, spoofed alerts, and QR codes inside the trusted ChatGPT interface with no extra user action. Essentially: (Permiso Security, OpenAI) are 30 days past initial report with no patch deployed. - Permiso filed via Bugcrowd on April 29, followed up May 7; no fix shipped as of public disclosure. - The Register independently reproduced the behavior on May 29, confirming the vulnerability is real and active. - The attack requires only a routine "summarize this URL" prompt, scaling to any ChatGPT user without awareness. The gap between AI feature velocity and security review cycles is now a live, confirmed attack surface.

Potential risks and opportunities

Risks

  • Enterprise security operations teams using ChatGPT to triage threat intelligence URLs could be served spoofed alerts inside the ChatGPT interface, redirecting analysts to attacker-controlled infrastructure before a patch ships.
  • OpenAI faces regulatory exposure under EU AI Act incident-reporting requirements if a documented phishing campaign exploiting ChatGPhish surfaces while the vulnerability remains unpatched in mid-2026.
  • Other AI platforms with web-rendering or summarization features, including Perplexity, Google Gemini, and Microsoft Copilot, may carry identical trust-model flaws and face coordinated researcher disclosure pressure within the next 30 to 60 days.

Opportunities

  • Browser isolation and zero-trust content vendors (Menlo Security, Zscaler, Cloudflare Gateway) can use ChatGPhish as a concrete case study for why AI-generated content requires the same rendering controls as raw web traffic.
  • AI red-team and security testing firms (Adversa AI, HiddenLayer, Lakera) gain a high-profile reference vulnerability to anchor LLM attack surface assessments in enterprise sales cycles during Q3 2026 budget cycles.
  • OpenAI and Bugcrowd both face public scrutiny over response times; a fast, transparent remediation here would strengthen researcher trust and improve submission volume ahead of the next comparable disclosure.

What we don't know yet

  • Whether OpenAI has assigned an internal severity rating to ChatGPhish or is treating it as a design limitation rather than a patchable security defect, which would affect remediation timeline.
  • Whether the vulnerability extends beyond URL summarization to other ChatGPT surfaces that render third-party content, including plugin outputs, file-based summaries, and API Markdown responses.
  • Whether Permiso's Bugcrowd submission was accepted under OpenAI's bug bounty scope, since prompt-injection-via-renderer may fall outside currently eligible vulnerability classes.

Originally reported by thehackernews.com

Read the original article →

Original headline: ChatGPhish: Permiso Security Discloses ChatGPT Prompt-Injection Vulnerability That Turns Web Summaries Into Phishing Surfaces