Notifications
Clear all
Topic starter
03/06/2026 11:01 am
TL;DR: Permiso Security shows that ChatGPT’s page summarization renderer can trust Markdown links and images from third-party pages, auto-fetching remote assets and rendering clickable phishing elements inside the assistant UI, while also leaking IP, User-Agent, Referer, and timing data through image requests. Browser-based prompt injection turns ordinary browsing into a delivery surface, and the trust boundary around rendered assistant output is now the control problem.
NHIMG editorial — based on content published by Permiso Security: ChatGPhish, the page is the payload
Questions worth separating out
Q: How should security teams handle links that appear inside AI-generated page summaries?
A: Treat every link inside an AI-rendered summary as untrusted until its source and destination are independently verified.
Q: Why do browser-based prompt injections create a bigger trust problem than email summaries?
A: Browser-based injection is harder to filter because users visit content directly and often trust what they are already reading.
Q: What breaks when remote images are auto-fetched inside AI assistant responses?
A: Remote-image fetching turns a summary into a network event.
Practitioner guidance
- Label imported content before it is rendered Preserve a visible distinction between assistant-authored text and third-party page content, including links, images, and alert-like blocks.
- Block automatic remote-image fetching in AI summaries Treat image retrieval inside assistant responses as outbound network activity that must be policy-controlled.
- Inspect AI browsing flows for phishing transfer points Review where a webpage enters an AI summarization workflow and where the output is rendered, then add controls at both edges.
That means browser security, IAM, and AI governance now need a shared control plane for provenance, rendering, and user-facing trust cues?
👉 Read Permiso Security’s analysis of ChatGPhish and browser injection in ChatGPT summaries →
Explore further
03/06/2026 11:03 am
Browser-mediated assistant rendering is now part of the identity attack surface. The browser is no longer just a delivery channel for web content, because AI summarization can transform third-party text into trusted-looking assistant output. That changes the governance problem from page safety to response safety, and it puts identity and trust boundaries at the point where the user decides whether content is first-party or imported. Practitioners should treat AI-rendered web summaries as a separate control domain, not an extension of normal browsing.
A few things that frame the scale:
- Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How can organisations reduce QR-code phishing in AI-assisted browsing workflows?
A: Require explicit source verification for any QR code or image rendered inside an assistant response, and do not rely on desktop browser protections to catch the destination. The phone scan is the dangerous handoff point, so policy, monitoring, and user training need to cover the second device as well.
👉 Read our full editorial: Browser injection turns ChatGPT summaries into phishing payloads
