
Perplexity Comet AI Browser Vulnerable to Prompt Injection
Critical Security Flaw in Comet AI Browser
Perplexity’s Comet AI browser has been found vulnerable to a prompt injection attack that lets malicious instructions hijack the AI assistant and extract sensitive user data.
Brave’s security researchers demonstrated how a Reddit comment could trick Comet’s AI into retrieving a Gmail one-time password (OTP) and revealing it directly to the attacker in the comment thread.
This flaw underscores the ongoing risks in agentic browsers, where AI assistants perform actions on behalf of users, potentially exposing data from emails, bank accounts, cloud storage, and other sensitive services.
How the Prompt Injection Attack Works
In Comet AI, when the assistant summarizes a webpage, it does not clearly separate user instructions from page content. Malicious actors can embed instructions within web pages, which the AI may follow blindly.
Key points from the Brave report:
- Hidden instructions on a webpage can manipulate the AI agent.
- Traditional web security measures like same-origin policy (SOP) and CORS are ineffective.
- The AI operates with full user privileges, potentially accessing emails, corporate systems, banking accounts, and cloud storage.
- Attackers can hide malicious instructions using invisible text, such as white text on a white background.
Real-World Demonstration
Brave researchers showed a Reddit page where a hidden prompt tricked Comet into:
- Navigating to Gmail.
- Retrieving the user’s OTP.
- Returning it in the Reddit comment thread.
This incident illustrates the dangers of local AI agents running with unrestricted access to user data.
Industry Responses
To mitigate such risks, companies have adopted safer approaches:
- OpenAI: ChatGPT Agent runs in an isolated cloud browser, preventing local data exposure.
- Google: Project Mariner AI agent operates across products but avoids direct integration into Chrome.
Despite a patch released in July 2025, Brave researchers found that the Comet browser’s prompt injection vulnerability is not fully resolved. Users should remain cautious when using agentic AI browsers.
Why This Matters
The attack demonstrates significant challenges in AI security:
- AI assistants with full browser access are highly exploitable.
- Malicious web content can bypass traditional web security mechanisms.
- The risks extend to financial, corporate, and personal data.
As agentic browsers become more common, users and developers must prioritize security and isolation mechanisms to prevent such prompt injection attacks.
Anish is the founder of TechBoltX, sharing mobile gaming rewards, guides, and daily updates.