Yesterday, security researchers at Permiso Security dropped a disclosure on a vulnerability they've named ChatGPhish. It landed with almost no fanfare outside security circles. It deserves a lot more attention.
Here's the short version: when your team uses ChatGPT to summarize a web page, ChatGPT doesn't just read the text. It trusts and renders any Markdown it finds in that page — including links, images, and alerts. An attacker who controls any page — a blog, a GitHub README, a vendor landing page, even a grant portal — can embed hidden instructions that make ChatGPT serve phishing links, fake security alerts, and QR codes directly inside the ChatGPT interface.
The interface your team thinks of as "safe and trusted."
How the attack actually works
Step one: the attacker owns or modifies any web page. It doesn't have to be their own site. It could be a public wiki, a GitHub repository with a poisoned README, or a comment on a shared public document.
Step two: they embed a malicious Markdown payload. Something as simple as an image tag pointing to their server —  — or a phishing link disguised as normal text.
Step three: one of your employees — maybe doing due diligence on a vendor, researching a grant portal, reviewing a contractor's site — pastes the URL into ChatGPT and asks for a summary.
Step four: ChatGPT fetches and summarizes the page. But because its renderer trusts Markdown from the content it's summarizing, the malicious payload gets injected directly into the response. Your employee sees what looks like a normal ChatGPT summary — but it now contains live clickable phishing links, or a QR code, or an image that just silently pinged the attacker's server with your employee's IP address, browser type, and referrer.
No suspicious email. No sketchy URL to hover over. No "this looks off" instinct kicking in — because it came from inside ChatGPT.
Why small orgs specifically need to pay attention
Large enterprises often have browser controls, URL filtering, and dedicated security teams watching outbound traffic. Most small orgs don't — and that's exactly the gap ChatGPhish exploits.
Think about how your team uses ChatGPT right now. Are people summarizing research? Pasting in competitor websites to analyze messaging? Pulling in grant documentation? Reviewing supplier websites? These are normal productivity habits that now carry a real attack surface.
Three scenarios that are realistic for a 15-50 person org:
Vendor vetting goes sideways. Your team is evaluating a new software vendor. Someone pastes the vendor's marketing site into ChatGPT to get a quick summary. The vendor's page has a hidden Markdown payload — either because they were compromised, or because a threat actor poisoned content upstream. ChatGPT renders a fake "urgent security alert" inside the summary. The employee clicks.
QR code attack bypasses your URL defenses. This one is particularly nasty. Permiso specifically documented that an attacker can inject a QR code into the ChatGPT response — served from attacker-controlled infrastructure. Your employee's desktop has URL filtering. But if they scan that QR code with their phone, those defenses don't apply. The destination isn't visible until the phone scans it.
Passive tracking during sensitive research. Your org is doing research on a sensitive topic — a merger, a regulatory filing, a competing grant application. Someone summarizes pages from a third-party site using ChatGPT. Every time ChatGPT fetches an image from those pages, it silently sends your employee's IP address, browser fingerprint, and referrer header to whoever controls those images. You've handed over metadata about your research activity without knowing it.
OpenAI's response has been underwhelming
Permiso originally filed the vulnerability report through Bugcrowd on April 29, 2026. OpenAI initially marked it as "not reproducible." When Permiso resubmitted with additional detail, OpenAI marked it as a duplicate — but according to Permiso, the supposed duplicate had major differences from the actual issue.
As of May 29 when this was published, Permiso states they have not received confirmation that a fix has been applied. That means this is live, unpatched, and now publicly documented with enough detail that threat actors can replicate it.
What to do before OpenAI fixes this
Tell your team today. "Don't click any links that appear inside a ChatGPT summary of a web page." This single rule dramatically cuts your exposure. If ChatGPT summarized a page and shows you a link, close the summary and go directly to the source website by typing the URL yourself.
Stop asking ChatGPT to summarize unverified public pages. If your team is using ChatGPT to research pages they don't directly control, treat the AI's output as potentially contaminated — especially any links, alerts, or images that appear in the response.
QR codes in ChatGPT responses are red flags. There is no legitimate reason for a QR code to appear in a ChatGPT web summary. If anyone on your team sees one, don't scan it.
Don't assume other AI tools are safe either. ChatGPhish works because ChatGPT renders Markdown from external content. Any AI tool that fetches and renders web content has a version of this problem. Permiso lists SymJack, TrustFall, and WebPromptTrap as related exploits across other AI platforms. This is an industry-wide design assumption being actively weaponized.
The bigger picture
This is what happens when AI tools treat web content as trusted input. The web has never been safe to parse as instructions — we've known that for decades. But AI tools are increasingly fetching, interpreting, and rendering web content inside interfaces that users trust implicitly.
For small orgs, the risk isn't that your systems get hacked. The risk is that your people get hacked — through tools they think of as safe. An employee who would never click a phishing link in an email might click one that appeared inside a ChatGPT response. It looks like ChatGPT is telling them to do it.
Right now, the only reliable defense is awareness and behavior change. Until OpenAI enforces clear separation between retrieved web content and rendered assistant output, your team's habits are the firewall.
This is the kind of thing we walk through in a half-day session with small org teams — what your current AI workflows look like, where the exposure points actually are, and what guardrails make sense for your context. No 40-page deck. Just an honest look at what's live in your environment and what to do about it.