ChatGPhish shows how a ChatGPT summary can become a phishing path
An AI summary can become a phishing surface when links and images are rendered without enough context.📷 AI-generated image / TECH&SPACE
- ★ChatGPhish targets ChatGPT’s web response rendering, especially Markdown links and images.
- ★Permiso Security links the technique to prompt injection and phishing risk.
- ★The case shows that AI security must include the renderer, sources and user interface.
That matters because it shifts the security conversation away from the model alone. Classic prompt injection is usually discussed as a problem of what the model reads and how instructions hidden in untrusted content can alter its response. ChatGPhish, based on the supplied report context, pushes the risk closer to the user. If malicious content is rendered as a convincing link, image or neatly formatted part of an answer, the attack no longer depends only on whether the model reasons badly. It also depends on whether the interface presents a credible path toward the wrong action.
Markdown is central here because it is a lightweight way to structure text, links and images. In ordinary publishing, that is useful and predictable. In an AI assistant summarizing external content, it becomes a sensitive channel. If the renderer places too much trust in formatting that originated in untrusted material, the user may see a clean answer that looks like a helpful summary but contains elements that support a phishing flow. The lesson is not that Markdown is inherently unsafe. The lesson is that external links, images and embedded instructions must be treated as attack surfaces when they pass through an AI interface.
Permiso Security describes a weakness in the chatgpt.com response renderer, where trust in Markdown links and images can turn summaries into prompt-injection and phishing paths.
ChatGPhish targets the thin layer between Markdown formatting, the renderer and the user click.📷 AI-generated image / TECH&SPACE
For OpenAI, this class of issue is especially sensitive because ChatGPT is increasingly used as an intermediary to the web. Users ask it to summarize pages, compare claims, explain reports and reduce noise. Once trust moves from the original page to the assistant’s answer, attackers have an incentive to move there as well. A link inside an AI-generated response can feel more legitimate than the same link on an unfamiliar website, precisely because the assistant appears to have already filtered the material.
The available context does not support broader claims about affected user counts, the lifetime of the flaw or active campaigns, so those should not be invented. The important confirmed shape is enough: prompt injection, Markdown rendering and phishing are intersecting in a place where users expect the product to be both readable and safe. That is a serious design problem, not just a content moderation problem.
Defending against it cannot rely only on model-level warnings or generic advice to avoid suspicious links. AI products need stricter rendering sanitation, clearer external destination cues, limits around images and links sourced from untrusted summaries, and security rules that recognize an AI answer is not merely a text transcript. ChatGPhish shows how thin the boundary has become between content, interface and action. Anyone building assistants has to test them as web applications, as systems that process hostile input and as decision surfaces where a user may click within a second.
