ChatGPT Prompt Injection Lets Attacker-Controlled Web Pages Inject Phishing Links Into AI Responses
Published · updated · curated by AI Is Going Just Great
Source: theregister.com ↗
Do not trust model output. AI-generated content should always be treated as untrusted. Assume prompt injection will happen.
A security researcher at Permiso discovered that ChatGPT can't distinguish its own generated content from attacker-injected Markdown pulled from external web pages — meaning any page a user asks the chatbot to summarize could silently deliver fake security alerts, phishing URLs, or even inline QR codes pointing to attacker-controlled domains. The technique, dubbed "ChatGPhish," bypasses desktop URL defenses entirely when a victim scans an AI-rendered QR code on their phone.
OpenAI's response to the responsible disclosure was, in the researcher's words, a journey: the initial report was marked "not reproducible," the resubmission was marked a "duplicate" despite "major differences," and The Register's follow-up questions went unanswered. Whether the flaw has been fixed remains unknown — so if you're asking ChatGPT to summarize web pages, maybe don't click anything it tells you to.