Security researchers have documented a new vulnerability concept called ChatGPhish, showing how browser-based prompt injection can influence ChatGPT page summaries and potentially expose users to phishing content. The research argues that ordinary web pages can become delivery mechanisms when attacker-controlled instructions are processed inside a trusted AI interface.
Browser-Based Prompt Injection Expands Risk
The research builds on earlier findings involving AI-assisted email summarisation, where attacker-controlled content embedded in emails could manipulate a large language model into producing misleading responses inside trusted interfaces.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
The latest study extends that risk beyond email and into the browser. According to the researchers, the core issue is the transfer of trust that happens when content from a third-party website is processed and presented inside a trusted ChatGPT interface.
Pages containing attacker-controlled instructions may influence the model’s output and lead users to interact with content that appears legitimate. Unlike email attacks, which may face spam filters, secure gateways and attachment controls, browser-based attacks require far less interaction. A victim may only need to visit a webpage and request a summary through an AI-powered browsing feature.
Researchers Demonstrate Phishing Within ChatGPT
During testing, researchers used Firefox as the entry point. After visiting a page and invoking ChatGPT’s page summarisation feature, the page content was supplied to the model. Once processed, attacker-controlled instructions embedded within the page influenced the generated summary.
The resulting response was displayed inside ChatGPT with rendered links and images. Researchers stressed that this was not a Firefox vulnerability, saying Firefox only provided access to the page summarisation workflow.
In one proof-of-concept scenario, an attacker appended instruction-like content to an otherwise legitimate page, such as a GitHub README, article, documentation page or product website. The injected prompt directed the assistant to generate a standard page summary followed by a fake account security alert claiming that a new device had been added to the user’s account.
QR Codes Create Cross-Device Threat
Researchers observed that ChatGPT generated a legitimate page summary before appending the attacker-controlled alert. The phishing URL appeared beside the summary in a way that could be mistaken for an official platform notification.
The study said this behaviour shows how prompt injection can transform external web content into seemingly trustworthy assistant-generated information.
The ChatGPhish research also examined a more advanced method involving QR codes. While traditional phishing links are visible and often subject to browser protections, QR codes can shift the interaction to a separate device. Users scanning a code with a smartphone may not see the underlying destination URL until after the scan.
In the demonstrated scenario, researchers replaced a phishing hyperlink with a Markdown image containing a QR code hosted in an attacker-controlled Amazon S3 bucket. Because the ChatGPT renderer automatically fetched and displayed the image, the QR code appeared directly within the assistant’s response. Once scanned, victims could be redirected to an attacker-controlled destination without triggering desktop browser protections such as URL previews, domain reputation checks, blocklists or password-manager warnings.
