Any web page a victim asks ChatGPT to summarize can become a phishing payload, according to research published by Permiso’s P0 Labs on May 29.
The ChatGPT response renderer reportedly trusts Markdown links and image links that originated from a third-party page the assistant just summarized, auto-fetching the images and surfacing the links as live, clickable elements inside the trusted assistant interface.
By appending instruction-like text to any page, an attacker can steer the resulting summary to include attacker-controlled content that inherits the look and authority of ChatGPT itself.
Permiso researcher Andi Ahmeti framed this as a trust-transfer problem, rather than a model-jailbreak one. The model can be influenced by untrusted content; the larger issue is that the output inherits the trust of the assistant.
Three Demonstrated Primitives
The research walked through three scenarios, each triggered by browsing to a page in Firefox and using the browser’s ChatGPT summarization flow.
In the first, an attacker appended formatting instructions to a GitHub README, convincing the model to append a fake account-security notification to its summary. ChatGPT produced a normal project summary and then continued into the spoofed alert, presenting an attacker-controlled URL as if OpenAI had issued it.
A second variant rendered an inline QR code pulled from an attacker-controlled S3 bucket. Because the ChatGPT client auto-fetches Markdown images, the QR code appeared inside the reply, ready to scan. That moved the attack off the desktop entirely, bypassing hover-preview, blocklists, and password-manager domain checks.
A third swapped the image source for a URL shortener, turning the rendered image into a passive tracking beacon. Every render of the answer fired a live HTTP request to attacker-controlled infrastructure, leaking IP, user-agent, referer, and timing.
Permiso also ran the same payload on a self-hosted marketing page to rule out anything GitHub-specific, with identical results. The researchers stressed this is not a Firefox bug: the same risk applies to any browser-integrated summarization system that renders untrusted Markdown without clearly separating source content.
Disclosure and OpenAI’s Response
Permiso said it submitted the issue to OpenAI through its Bugcrowd program on April 29.
According to the company’s disclosure timeline, OpenAI marked the initial report as Not Reproducible, then classified a revised submission as Not Applicable before later designating it a duplicate. Permiso requested follow-up communication on the wider impact before publishing on May 29.
Expert Insights has contacted OpenAI for comment on the research and will update this article with any response.
The pattern echoes Permiso’s March 2026 research into Copilot prompt injection via email summaries. Different product, different surface, the same root issue: attacker-controlled content rendering as trusted AI output.
