ChatGPT Exploited for Phishing: Targeting Page Summaries and Share Links
In just a few hours, two independent studies have shown two different ways to turn ChatGPT into a phishing surface. They do not exploit a flaw in the model itself, but something more subtle: the trust that the user places in the interface and the legitimate domain of the assistant.
ChatGPhish: When the Summary Becomes the Bait
The first technique, dubbed ChatGPhish by Permiso Security, exploits the way ChatGPT displays responses. According to researcher Andi Ahmeti, the component that renders the responses trusts links and images in Markdown format from a recently summarized third-party page and automatically transforms them into clickable elements and images loaded inside the trusted interface of the assistant.
The mechanism is an indirect prompt injection, meaning malicious instructions are hidden in external content that the model ends up executing. An attacker can add a small payload to any page that the victim then asks ChatGPT to summarize. From there, Permiso explains, they can make phishing links appear as clickable elements in the response, show fake security alerts written in the style of ChatGPT, or serve a QR code hosted in a storage space controlled by the attacker: by scanning it with a smartphone, the victim exits the computer's browser and bypasses URL filters that protect the desktop. Furthermore, simply loading the embedded images is enough to leak the victim's IP address, User-Agent, and other details.
The key point that makes ChatGPhish remarkable, notes Permiso, lies not so much in the already-known prompt injection (we saw a case with the "false memories" implanted in ChatGPT), but in the fact that instructions hidden in a page are presented to the user as a legitimate part of the summary. The attack surface shifts from email to the browser: there is no longer a need to open an attachment or respond to a suspicious message; it is enough to ask the assistant to summarize a page during normal browsing, as also observed by The Register.
LLMShare: Malware Served from a Legitimate Domain
The second technique, documented by Push Security and named LLMShare, starts from a different point but exploits the same trust. Attackers use sponsored ads on Google to intercept those searching for ChatGPT and lead them to a shared conversation page hosted on the legitimate domain chatgpt.com. However, instead of a chat, the victim finds a fake service interruption notice inviting them to download the desktop application.
The alert is not a classic phishing page on an attacker's server: it is generated by ChatGPT itself, exploiting the platform's ability to produce custom HTML and CSS from a prompt and published through a share link. Those who click the download button end up on openew[.]app, a site that mimics the official OpenAI portal and distributes malware for both macOS and Windows. The site uses cloaking: it shows a harmless page of a fake augmented reality company to security analysis tools and the malicious content only to designated victims. Push Security has observed the same technique used against Claude Artifacts, Anthropic's analogous feature.
The thread that ties the two studies together is also the most uncomfortable lesson. For years, the rule has been to distrust attachments and unknown senders, but in the two observed cases, the malicious content arrives through a trusted domain and an interface that the user considers secure by definition. As ChatGPT and similar tools become integrated into daily workflows to search for and summarize information, the attack surface expands precisely where attention wanes, in the ordinary act of asking an assistant to do its job. Traditional defenses, built around email, are not very effective in this terrain, and once again, as social engineering teaches, it is precisely the manipulation of trust that is the most effective lever when it comes to carrying out cyberattacks.