Permiseo — ChatGPhish Browser-Based Prompt Injection
AI relevance: This demonstrates that browser-integrated LLM summarization features — now shipping in mainstream AI assistants — expand the prompt-injection attack surface beyond email to any web page a user visits, turning legitimate documentation, blogs, and SaaS dashboards into phishing delivery vehicles.
What happened
- Permiseo researchers published "ChatGPhish," showing how hidden instructions embedded in any web page can manipulate ChatGPT's page summarization feature.
- Unlike email-based prompt injection (which faces spam filters and secure email gateways), this vector requires zero barriers — the victim simply visits a page and requests an AI summary.
- In proof-of-concept, researchers appended instruction-like content to a legitimate-looking page, causing ChatGPT to generate a real summary followed by a fake account security alert with a phishing link.
- The phishing link appeared rendered inside ChatGPT's interface, making it look like an official notification from the platform itself — a significant trust transfer vulnerability.
- A more advanced variant injected QR codes via Markdown images hosted on attacker-controlled S3 buckets, shifting the attack to cross-device (user scans on phone, never sees the underlying URL).
- The attack works through Firefox's page summarization workflow and applies to any browser-integrated LLM system rendering untrusted content without clear visual separation.
- Potential delivery surfaces include documentation portals, GitHub repos, blog posts, SaaS dashboards, help centers, and internal portals.
Why it matters
- Browser-based prompt injection eliminates the traditional friction of email-based attacks — no spam filters, no attachment scanning, no user training to bypass.
- The trust transfer from third-party web content to AI-generated output makes phishing significantly more convincing.
- QR code delivery via AI-rendered Markdown creates a cross-device attack chain that bypasses desktop browser protections entirely.
- Every AI-powered browsing feature (page summarization, Q&A on web content, AI overlays) inherits this risk by design.
What to do
- AI product teams: visually separate third-party content from AI-generated output; add "source attribution" labels on all rendered links and images.
- Users: treat AI-generated summaries with the same skepticism as email links — verify URLs before clicking, especially "security alerts" in summaries.
- Browser vendors: consider prompt-injection detection in page summarization pipelines, similar to email security gateways.
- Organizations: include browser-based AI summarization in security awareness training, not just email phishing.