ChatGPhish: ChatGPT Markdown Flaw Enables Prompt Injection Phishing

ChatGPhish: ChatGPT Markdown Flaw Enables Prompt Injection Phishing

A newly disclosed ChatGPT phishing vulnerability called ChatGPhish is raising serious concerns about how AI-assisted web browsing can be turned against the very users it aims to help. Researchers at Permiso Security have revealed that ChatGPT's built-in trust of Markdown-formatted links and images creates an opening for attackers to inject malicious prompts directly into the AI's web summaries, effectively weaponising a routine productivity feature into a phishing delivery mechanism.

How ChatGPhish Exploits ChatGPT's Markdown Trust

When ChatGPT browses the web and summarises content for a user, it processes and renders Markdown formatting, including hyperlinks and embedded images. The ChatGPhish vulnerability exploits this behaviour by embedding specially crafted instructions inside web page content. Because ChatGPT treats that content as trusted input, the injected instructions can redirect the AI's output, coerce it into displaying deceptive links, or instruct it to solicit credentials from the user under false pretences.

This is an indirect prompt injection attack. Unlike direct prompt injection, where a user intentionally manipulates an AI with crafted inputs, indirect prompt injection hides malicious commands inside external content that the AI fetches and processes autonomously. The user never sees the hidden instructions; they only see whatever output the attacker has engineered the AI to produce. In the ChatGPhish case, that output can include convincing phishing prompts that appear to come from the AI itself, lending them a layer of false legitimacy.

What makes this particularly notable is that the attack surface is not the AI's underlying model but the trust it places in the web content it summarises. An attacker does not need to compromise OpenAI's systems. They only need to control or manipulate a web page that a user might ask ChatGPT to summarise.

Who Is Most at Risk and What Data Could Be Exposed

Anyone using ChatGPT's web browsing or summarisation features is potentially exposed, but certain groups face elevated risk. Users who rely on ChatGPT to quickly summarise articles, documents, or third-party pages are most likely to encounter injected content without realising it. Enterprise users who have integrated ChatGPT into workflows involving external data sources face compounded exposure.

The data at risk is primarily credential-level information. A successful ChatGPhish attack could trick a user into submitting a password, authentication token, or account detail through a phishing page that the AI has presented as legitimate. Given that billions of credentials are already circulating in breach repositories, including the 19 billion passwords exposed in the RockYou2024 leak, any additional phishing vector that bypasses normal user scepticism is a serious concern.

Accounts linked to payment services, enterprise systems, or sensitive personal data are the most attractive targets. The phishing prompt, appearing as a natural part of a ChatGPT response, is likely to bypass the mental filters users apply when spotting conventional phishing emails.

Why Public Network and VPN Users Face Heightened Exposure

Users on public Wi-Fi networks face a compounded risk from ChatGPhish. On unencrypted or poorly secured networks, traffic interception is a realistic threat. While the ChatGPhish attack itself does not require network-level access, the combination of a compromised network environment and a manipulated AI summary creates a particularly dangerous situation. Phishing credentials captured in a coffee shop or airport can be used immediately, before a user has any chance to detect the compromise.

Using a VPN addresses one layer of this problem by encrypting traffic between the user's device and the internet, reducing the risk of network-level interception. However, it does not prevent ChatGPT from processing malicious web page content and surfacing injected prompts. The ChatGPhish attack lives at the application layer, which means network-level protections alone are insufficient. Users need to remain alert to unexpected credential requests appearing within AI-generated summaries, regardless of how their network traffic is secured.

Practical Steps to Avoid Being Targeted by ChatGPhish

Until OpenAI issues a definitive patch or architectural change that prevents Markdown-based prompt injection, users can take several practical steps to reduce their exposure.

First, treat any credential or login request surfaced through a ChatGPT summary with immediate suspicion. ChatGPT has no legitimate reason to ask for passwords or authentication tokens as part of a web summary. If you see such a request, close the session and navigate directly to the relevant site through your browser.

Second, be selective about which pages you ask ChatGPT to summarise, particularly pages from sources you do not recognise or trust. Attacker-controlled pages are the primary delivery mechanism for ChatGPhish payloads.

Third, review your broader account and credential hygiene now, not after an incident. Using strong, unique passwords across every account means that even if a phishing attack captures one credential, the damage is contained. Given how readily credentials are recycled in attacks after large-scale leaks, this is a non-negotiable baseline.

Finally, monitor OpenAI's security advisories for patches or mitigations related to ChatGPhish. Applying updates promptly is one of the simplest defences against disclosed vulnerabilities.

What This Means For You

ChatGPhish is a reminder that AI tools inherit the risks of the content they process. Trusting an AI summary is not the same as trusting the underlying source, and attackers are already exploiting that gap. The attack does not require sophisticated technical skills on the attacker's side, which means it is likely to spread beyond security researchers into active criminal use.

The most actionable step you can take right now is to audit your credential security. If the same password protects multiple accounts, a single successful ChatGPhish phishing attempt could cascade into a much broader compromise. Reviewing the RockYou2024 breach coverage is a useful starting point for understanding the scale of the credential threat environment that makes attacks like ChatGPhish so consequential. Unique, strong passwords and multi-factor authentication on all critical accounts remain your most reliable first line of defence when AI tools can be turned into phishing surfaces.