What’s the story
A new research has revealed a major security flaw in Perplexity’s Comet, an AI-driven “agentic” web browser.
The vulnerability, discovered by Brave’s senior mobile security engineer Artem Chaikin and VP of Privacy and Security Shivan Kaul Sahib, exposes users to potential account hijacking.
The issue stems from how Comet handles webpage content when asked to summarize it.
How the attack works
The flaw in Comet lies in its inability to differentiate between user commands and untrusted content from webpages.
When asked to summarize a page, it directly feeds part of the webpage to its large language model (LLM).
This creates an opportunity for attackers to inject indirect prompt injection payloads that the AI will execute as commands.
For instance, a hacker could use this method to access a user’s emails by hiding malicious instructions behind a spoiler tag on Reddit.
Once the user visits the webpage, the attack is triggered
When an unsuspecting user visits this compromised webpage and uses the browser’s AI assistant feature, the attack is triggered.
The AI processes the webpage content and sees hidden malicious instructions, treating everything as user requests.
The injected commands then instruct the AI to misuse its browser tools, like visiting a user’s banking site and stealing saved passwords or exfiltrating sensitive information to an attacker-controlled server.
The attack poses a challenge to web security measures
The attack poses a major challenge to existing web security measures.
When an AI assistant follows malicious instructions from untrusted webpage content, traditional protections like same-origin policy (SOP) or cross-origin resource sharing (CORS) become ineffective.
The AI operates with the user’s full privileges across authenticated sessions, potentially giving access to banking accounts, corporate systems, private emails, cloud storage and other services.
Key characteristics of this new AI attack
Unlike traditional web vulnerabilities that affect individual sites or require complex exploitation, this attack enables cross-domain access through simple, natural language instructions embedded in websites.
The malicious instructions could even be included in user-generated content on a website the attacker doesn’t control (for example, attack instructions hidden in a Reddit comment).
The attack is both indirect in interaction and browser-wide in scope.
How to prevent such attacks?
To prevent such attacks, the browser should clearly separate user instructions from website contents when sending them as context to the model.
The contents of the page should always be treated as untrusted.
Also, based on task and context, the model comes up with actions for the browser to take; these actions should be checked for alignment against user’s requests.