Researchers have identified a potential security vulnerability in Perplexity’s new agentic AI browser, Comet, that could allow attackers to maliciously instruct the browser agent via indirect prompt injection and gain access to sensitive user data, including emails, banking passwords, and other personal information. The vulnerability is rooted in how Comet handles webpage content when responding to user prompts like ‘summarise this webpage’, security researchers at Brave, a privacy-focused search engine and browser company, said in a blog post on August 20. They claimed that Comet fails to distinguish between user instructions and untrusted content from webpages. This allows attackers to stealthily embed user prompts in webpage content that the Perplexity browser agent processes and executes as user commands. “For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab,” Brave said in its blog post. The findings come at a time when AI-centric browsers like Comet are gaining traction due to a fundamental shift in user behaviour when looking up information online. It also comes amid the rise of AI agents capable of autonomously performing various tasks such as browsing the web, making travel bookings, or shopping on behalf of the user. Comet is said to be the first-of-its-kind web browser as it places an AI agent at the centre of a user’s search experience. However, such browsers have raised security and privacy concerns as they require deep access to sensitive data from logged-in sessions. In Comet’s case, the AI agent is only able to pull information and context directly from platforms where the user is already logged in. Vulnerabilities in AI browsers also differ from traditional web exploits as they could allow the AI agent to be easily tricked into pulling sensitive data across domains. In response to the findings of Brave's report, Perplexity spokesperson Jesse Dwyer told The Indian Express, "The vulnerability is fixed. We worked directly with Brave to identify and repair the vulnerability." However, in its latest update, Brave said that while Perplexity acknowledged the security flaw and implemented an initial fix, the issue continues to persist upon further testing of the Comet browser. Brave’s testing of Comet While Brave did not cite any real-world cases of the vulnerability being exploited, it suggested that an attacker could hide malicious instructions for the AI agent between web content. These instructions would appear as text on white backgrounds, HTML comments, or other invisible elements. They could also be embedded in Reddit comments or Facebook posts. When a user submits a prompt such as "summarise this page", Comet’s AI browser assistant would crawl the webpage content and process it to extract the key points from the page. However, Brave claimed that Comet does not distinguish between the content it should summarise and the instructions it should not follow. This could let attackers hide commands in web content, tricking the AI assistant to visit a user’s banking website and extract saved passwords. Similarly, a user’s Perplexity account could also be taken over by exfiltrating their email address and OTP (in case of two-factor authentication). The final step could involve instructing the AI assistant to post these details as a reply to a Reddit post. To address the vulnerability, Brave suggested that Perplexity make changes to the Comet browser so that the AI agent can “clearly separate the user’s instructions from the website’s contents when sending them as context to the model”. “Based upon the task and the context, the model comes up with actions for the browser to take; these actions should be checked for alignment against the user’s requests,” the company said. “No matter the prior agent plan and tasks, the model should require explicit user interaction for security and privacy-sensitive tasks.”
