The "ChatGPhish" vulnerability is a high-severity indirect prompt injection flaw residing in the ChatGPT web interface's Markdown rendering engine. By leveraging the model's web-browsing and summarization capabilities, an attacker can host malicious Markdown/HTML payloads on an external webpage. When ChatGPT processes this URL, the renderer interprets the untrusted content as legitimate UI elements within the chatgpt.com domain. This facilitates "trust-transfer" attacks, allowing adversaries to inject spoofed security alerts, fraudulent hyperlinks, and phishing QR codes directly into the user's trusted session, aiming for credential theft and session hijacking via sophisticated social engineering.
-
Threat Model: Indirect Prompt Injection
- Exploits the integration between LLM reasoning and web-content rendering.
- Leverages user-initiated requests to browse or summarize untrusted external URLs.
- Utilizes a "trust-transfer" effect where malicious content inherits the visual credibility of the OpenAI interface.
-
Attack Mechanics: Markdown Exploitation
- Payload Delivery: Attackers host specifically crafted Markdown and HTML combinations on malicious websites.
- Rendering Trigger: The ChatGPT browsing engine retrieves and interprets the hosted content during a summarization task.
- UI Manipulation: The Markdown engine renders deceptive elements, including spoofed system notifications and fraudulent interactive buttons.
- Visual Deception: Implementation of phishing QR codes and fake security links to bypass user scrutiny.
-
Systemic & Security Impact
- Primary Objective: Facilitates credential theft, session hijacking, and sophisticated social engineering.
- Severity Level: Rated High due to the ability to bypass traditional visual hygiene through platform-native rendering.
- Affected Demographic: ChatGPT users utilizing web-browsing or page-summarization capabilities.
-
Mitigation & Countermeasures
- Content Sanitization: Implementation of stricter server-side sanitization for Markdown elements sourced from external URLs.
- Interface Isolation: Enhanced sandboxing for any UI elements generated via web-scraping or third-party content rendering.
- Defensive Awareness: Educating users on the risks of interacting with UI elements generated within an LLM-summarized context.
-
Conclusion
- Highlights a critical evolution in the LLM threat landscape regarding tool-use and web integration.
- Underscores the necessity for robust Content Security Policies (CSP) within AI-driven interfaces.
Related posts
- permiso.io — ChatGPhish: The Page Is the Payload
- The Register - Security — ChatGPT blindly trusts browser content, turning the page into a payload
- Cybersecurity News — New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads
- feeds.feedburner.com — ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
- Gblock
- Labs
- Duocircle
- Eweek
- Enigmasoftware
- Youtube
- Thecyberexpress
- Nhimg
- Captechgroup
- Ground