Forensic Summary
Permiso Security has disclosed ChatGPhish, a vulnerability in ChatGPT's web summarisation feature that allows attacker-controlled Markdown payloads embedded in third-party pages to render phishing links, spoofed alerts, and QR codes directly within ChatGPT's trusted UI. The attack requires no user interaction beyond asking ChatGPT to summarise a malicious page, and can exfiltrate IP addresses, User-Agent strings, and Referer headers via auto-fetched remote images. The technique significantly expands the phishing attack surface beyond email into everyday AI-assisted browsing workflows, posing a particular risk in enterprise environments.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/chatgphish-exploit-turns-chatgpt-summarisation-into-a-live-phishing-surface/
Top comments (0)