OpenAI's ChatGPT web interface contains a vulnerability that allows attackers to inject malicious prompts through Markdown formatting, according to researchers at Permiso Security. The flaw, dubbed ChatGPhish, exploits the chatgpt.com response renderer's implicit trust in Markdown links and images to execute prompt injection attacks.
Threat actors can craft specially formatted content that appears legitimate to users but contains hidden instructions for ChatGPT. When the AI processes this content, attackers can manipulate its behavior, redirect users to phishing sites, or exfiltrate sensitive information. The attack surface expands through ChatGPT's web summaries feature, which renders third-party content without sufficient sanitization.
The vulnerability stems from ChatGPT's design assumption that Markdown formatting in responses originates from trusted sources. Attackers bypass this assumption by hosting malicious Markdown on external websites, then having ChatGPT summarize those pages. The renderer processes the Markdown directives, executing the attacker's hidden instructions.
Permiso Security demonstrated the technique could redirect users to credential-stealing pages or inject prompts that override ChatGPT's safety guidelines. The attack requires no authentication and works against the default web interface, affecting all ChatGPT users who access summarized content from untrusted domains.
Organizations using ChatGPT for sensitive operations face elevated risk. Employees could receive phishing emails containing links that, when summarized by ChatGPT, trigger malicious prompts designed to extract company information or install subsequent payloads. The vulnerability also enables social engineering at scale, since attackers need only craft a single malicious webpage to compromise multiple users.
OpenAI has not released a public patch, though the disclosure suggests the vendor is aware of the issue. Users should avoid summarizing content from untrusted sources and remain cautious when ChatGP