Full Report
You and me go ChatGPhish-ing in the dark
Analysis Summary
# Vulnerability: ChatGPhish - Indirect Prompt Injection via Markdown Rendering
## CVE Details
- **CVE ID**: Not Assigned (Reported to OpenAI, currently lacks a tracking identifier)
- **CVSS Score**: Estimated 6.8 - 7.5 (Medium/High)
- **CWE**: CWE-506 (Embedded Malicious Code), CWE-79 (Improper Neutralization of Input - Reflected Cross-Site Scripting via Markdown)
## Affected Systems
- **Products**: OpenAI ChatGPT
- **Versions**: Current web and mobile versions (as of May 2026 reporting)
- **Configurations**: Any user session where ChatGPT is instructed to interact with, read, or summarize external web content (via browsing tools or URL input).
## Vulnerability Description
The vulnerability stems from ChatGPT's inability to distinguish between its own system instructions and attacker-controlled Markdown content fetched from external websites. When a user asks the chatbot to summarize a malicious URL, the AI interprets hidden instructions embedded on that page as high-priority formatting commands.
Because the ChatGPT client automatically renders Markdown (including images and Hyperlinks), the AI can be forced to display spoofed UI elements, such as "Security Alerts" or "Account Notifications," that look like native platform messages but contain links to external phishing sites or malicious QR codes.
## Exploitation
- **Status**: PoC available; reported to vendor. Evidence suggests potential for exploitation in the wild due to ease of implementation.
- **Complexity**: Low
- **Attack Vector**: Network / Indirect (User interacts with a malicious/compromised website via the AI).
## Impact
- **Confidentiality**: High (Theft of credentials via phishing lures).
- **Integrity**: Medium (Manipulation of information presented to the user).
- **Availability**: None.
## Remediation
### Patches
- **OpenAI Status**: No official patch confirmed. The researcher reported the issue on April 29, but OpenAI has not confirmed a fix. Users are advised to check OpenAI's official release notes for updates regarding "Markdown filtering" or "Content Security Policy" (CSP) improvements.
### Workarounds
- **Exercise Caution**: Avoid using AI tools to summarize untrusted or unfamiliar websites.
- **Visual Inspection**: Hover over any links generated within a ChatGPT response to verify the destination URL matches the expected domain.
- **Ignore "System" Alerts in Chat**: Be aware that OpenAI will not typically issue security alerts or "new login" notifications directly inside a conversation window.
## Detection
- **Indicators of Compromise**:
- Unexpected formatting/boxes in chat responses (e.g., "Account: A new device was added").
- Redirects to suspicious domains such as `krileva[.]com` (from the PoC).
- Presence of QR codes in the chatbot output when not explicitly requested.
- **Detection Methods**: Security teams can monitor network logs for traffic originating from ChatGPT sessions to known phishing hosting sites or unusual S3 buckets.
## References
- **Researcher Report**: hxxps://permiso[.]io/blog/chatgpt-markdown-rendering-vulnerability
- **News Coverage**: hxxps://www[.]theregister[.]com (The Register article)
- **Vendor Platform**: hxxps://chatgpt[.]com