ChatGPhish The Page Is the Payload
ChatGPhish: The Page Is the Payload 🚀
This research takes that same class of problem into another dimension. Different product. Different LLM surface. Different delivery primitive. This time, the primitive is not the email; it is the browser. That matters because the browser is where users spend their day. Documentation pages, GitHub repositories, blog posts, dashboards, help articles, marketing sites, internal portals, SaaS consoles, and search results all become possible delivery surfaces. If the user can ask ChatGPT to summarize the page, the page can become the payload.
According to the findings, the chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third-party page the assistant has just summarized. It auto-fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI. By appending a small payload to any web page the victim later asks ChatGPT to summarize, an unauthenticated remote attacker can achieve several objectives. These include cross-origin info disclosure / passive beacon, where attacker-hosted images embedded in the page are auto-fetched on every render of the answer, leaking the victim’s IP, User-Agent, Referer, and high-resolution timing tied to the moment ChatGPT produced the answer. Additionally, UI redress / phishing inside the trusted ChatGPT surface is possible, as attacker-controlled Markdown links are rendered as live clickable elements inside the assistant’s reply with no origin labeling. Attackers can also create spoofed system-style alerts, as the renderer happily lays out attacker text as a fake “security alert” wearing the assistant’s formatting and tone. Furthermore, a mobile-pivot via inline QR code is feasible, with auto-rendering a QR-code image from an attacker S3 bucket giving the victim a phone-scan target, bypassing every desktop URL defense.
The browser significantly expands the attack surface compared to email. A user does not need to receive anything; they only need to visit something like a GitHub README, a documentation page, a public blog post, or a project landing page. In our testing, Firefox acted as the entry point, but the researchers note, “This is Not a Firefox Bug.” The browser simply passes page content into ChatGPT’s summarization flow. The real issue is that attacker-controlled content can be rendered as trusted UI inside the LLM experience.
To demonstrate the research, a scenario was simulated where an attacker appends a fake security alert to a page. When the user opens the page and asks ChatGPT to summarize it, the assistant produces a legitimate summary and then appends attacker-controlled text formatted like an account notification. The assistant follows the “formatting requirement” wholesale: it produces a real summary of the project and then continues straight into the fake account-security block, presenting https://krileva.com/ as if it were an OpenAI/ChatGPT-issued security URL. The same injection technique can render an inline image, such as a QR code. A QR code is read off-screen by a second device, meaning browser-side defenses (URL hover preview, blocklists, password-manager domain checks) never see the destination. This directs the user’s phone straight to the attacker’s landing page.
A minor variation also switches the image source to a URL shortener, which causes the chatgpt.com renderer to issue a live HTTP request to attacker-controlled infrastructure on every render of the answer, leaking telemetry. The attacker’s endpoint records the requesting client’s IP address, User-Agent, Referer, and high-resolution timing tied to the moment ChatGPT produced the answer. In aggregate, this is enough to confirm that a specific target read a specific attacker page through ChatGPT, useful pre-targeting for a follow-on attack. The shift from email to the browser significantly expands the potential attack surface. Simply summarizing a page during normal browsing activity can introduce attacker-controlled instructions into the model context and ultimately into the rendered response.