Published On 3/6/2026
A group of researchers found a vulnerability in “GPT Chat” systems that opens the door to phishing attacks through the use of malicious command injection attacks into the system and exploiting the feature of summarizing Internet pages, according to a report by the American technical website “The Hacker News.”
The vulnerability depends mainly on GPT Chat’s prior trust in files that come with the Markdown extension, which is a new file extension that can carry links and images and that artificial intelligence can recognize and read.
The form displays any links or images contained in this extension if it is included in Internet pages and the user requests a summary of the page directly. Researchers at the security company Prismo Security called it “GPT chat phishing.”
A report by the British website “The Register” states that the vulnerability occurs because “GPT Chat” cannot differentiate between the content it generated and the content injected into Internet pages with malicious intent, and therefore displays all of this content when summarizing the page.
For its part, OpenAI did not provide any response or clarification about the vulnerability and whether it was able to fix it or not, according to what was stated in the “The Register” report.
In his statement to The Register website, Andy Ahmadi, security researcher at Bersmo, expects that the vulnerability is not limited to GPT Chat or is the result of a programming error in it. Rather, he believes that it may extend to a group of other tools because of its connection to the mechanism of how generative artificial intelligence models work.
Ahmadi explained that artificial intelligence models have now developed in a way that makes them more similar to operating systems and browsers, and thus vulnerabilities can be found and software vulnerabilities can be created directly in them.
How does the loophole work?
This vulnerability belongs to the category of command injection attacks in artificial intelligence models, which are attacks that rely on hiding a set of malicious commands in pages and then directing them to artificial intelligence models to reveal user data.
In this case, the vulnerability reveals the user’s IP address and a set of other data related to him, such as the domain link, the user’s location, the computer he is using, and any other internal data that was shared with the form.
The commands also include a mechanism for sending responses and information directly to the attacker in an unobtrusive manner, so that he can use them later.
Complex risk
Ahmadi confirms that the attack represents a complex threat to the security of users in the age of artificial intelligence. While the first point of danger in the model is sharing user data with attackers, there is another point of danger, which is showing malicious links or quick response codes.
In this case, the user clicks on the link from his phone or scans the QR code, which allows the attacker to take over the user’s phone and do whatever he wants.
This step represents a primary attack mechanism, that is, it is the door that allows the attacker to do whatever he wants inside the victim’s device, especially if the victim scans the malicious QR codes or clicks on any external link inside the devices.
Ahmadi concluded his speech by pointing out the danger of command injection attacks, especially since they relate to the capabilities of artificial intelligence applications and not vulnerabilities that can be closed programmatically.
