Congrats, ChatGPT Is Now a Phishing Tool
Ask ChatGPT to summarize a webpage and it might phish you. An attacker can embed invisible instructions in any page that hijack how ChatGPT renders the summary. Your IP leaks. Fake login links appear. Welcome to 2026.
#You asked ChatGPT to summarize a webpage. It phished you instead.
I wish I was making this up.
Researchers at Permiso Security just dropped a technique called ChatGPhish that turns ChatGPT's web summarization feature into a phishing delivery mechanism. Here's how stupid simple it is:
- Attacker adds a small invisible instruction payload to any webpage
- You visit that page and ask ChatGPT to summarize it (something millions of people do daily)
- ChatGPT reads the hidden instructions along with the page content
- The summary ChatGPT gives you contains fake clickable links and auto-loaded tracking images
- You click a link because it came from ChatGPT, the tool you trust
The links look legitimate because they're rendered inside ChatGPT's trusted interface. They're not in a sketchy email. They're not in a random popup. They're in the answer box of the AI assistant you use every day. Your brain registers it as safe because the source is "ChatGPT," not "suspicious-domain.com."
#What actually leaks.
Even if you don't click anything, damage is already done. ChatGPT auto-fetches images referenced in the Markdown from the page it summarized. Those images are hosted on the attacker's server. When ChatGPT loads them, the attacker gets:
- Your IP address
- Your User-Agent (browser, OS, device type)
- Referer headers (what you were looking at)
- High-resolution timing data
Every time you re-open that ChatGPT answer, the images re-fetch. The attacker gets pinged again. They're tracking you through your AI assistant.
And if you click the fake links ChatGPT rendered? Those go to credential harvesting pages. Classic phishing, delivered through a channel nobody expected.
#Why this matters beyond the tech crowd.
I know some of you reading this are thinking "I don't use ChatGPT for work." Cool. But your employees do. Your kids do. Your spouse does. Someone in your organization is copying and pasting URLs into ChatGPT right now asking "summarize this for me" or "what does this article say."
And now any page they summarize could be weaponized.
This is the problem with AI tools in general. We're giving them broad access and deep trust without thinking about the security implications. ChatGPT can browse the web, render Markdown, auto-load images, and present clickable links inside its interface. Nobody stopped to ask "what happens when the webpage being summarized contains instructions for the AI?"
Prompt injection isn't new. But ChatGPhish packages it into something that hits regular users, not just developers and security researchers.
#What to do about it.
For individuals:
- Don't click links inside ChatGPT responses without checking where they actually go. Hover over them. Look at the URL. If it's not where you expect, don't click.
- Be skeptical of any AI-generated summary that includes "click here to verify" or "login to continue" language. ChatGPT summaries shouldn't be asking you to authenticate.
- If a summary includes images you didn't expect, the page you summarized might be tracking you through ChatGPT.
For businesses:
- If your team uses ChatGPT (and they do, whether you've approved it or not), this needs to be part of your security awareness training. People need to understand that AI outputs are not inherently trustworthy just because they come from a tool with a friendly interface.
- Consider enterprise AI governance. Which AI tools are approved? What data can be shared with them? What outputs should be treated with suspicion? If you don't have answers to these questions, you don't have an AI policy.
- Browser isolation can contain the impact of clicking malicious links, regardless of where they come from.
For OpenAI:
- Stop auto-fetching attacker-controlled images in chat responses. Seriously. This is basic.
- Sanitize Markdown links from third-party page summaries instead of rendering them as clickable elements inside the trusted UI.
- Permiso reported this responsibly. Fix it.
#The bigger lesson.
Every new tool is a new attack surface. ChatGPT, Copilot, Gemini, Claude, all of them process untrusted input and present outputs that users treat as authoritative. The moment we started trusting AI responses the same way we trust a colleague's email, we created a new phishing surface.
Your team needs to be trained on this. Not because they're dumb. Because the attacks are evolving faster than people's instincts, and nobody taught them to be skeptical of their AI assistant.
#Further reading
- Permiso ChatGPhish Research - the original disclosure with technical details
- OWASP Top 10 for LLM Applications - prompt injection is #1 on the list
- NIST AI Risk Management Framework - federal guidance on managing AI risk
- Cloudflare Browser Isolation - containment for malicious link clicks