Perplexity's AI browser 'Comet' risks leaking personal information by following malicious instructions embedded in websites
As AI technology advances, various companies are releasing browsers equipped with AI agents. A security engineer at the browser developer Brave has reported that the AI-powered browser '
AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks.
— Brave (@brave) August 20, 2025
We recently found, and disclosed, a concerning flaw in Perplexity's Comet browser that put users' accounts and other sensitive info in danger. pic.twitter.com/kwYTrwgznO
Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet | Brave
https://brave.com/blog/comet-prompt-injection/
Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet
https://simonwillison.net/2025/Aug/25/agentic-browser-security/
Brave's senior mobile security engineer, Artem Chaikin, said that a browser equipped with an AI agent can autonomously navigate web pages and even input necessary information, following user instructions such as 'book a flight to London next Friday.' However, he pointed out that such AI-powered browsing also raises security and privacy concerns.
The fact that browsers with AI agents can input various information on web pages means that the AI may hallucinate or receive malicious prompts, potentially leaking information in unexpected situations. Chaikin then tested various browsers with AI agents and discovered a vulnerability in Comet.
The vulnerability is related to the way Comet processes webpage content. When a user gives an instruction, such as 'Summarize this webpage,' Comet sends part of the webpage directly to the AI model, but it does not distinguish between user instructions and untrusted content within the webpage. This allows an attacker to embed malicious commands in the content for the AI to execute and wait for a target to fall for it.
The specific steps of an attack against Comet are as follows:
1. Attackers embed malicious instructions in web content in a variety of ways, including hidden white text on a white background, direct comments in HTML, and other invisible elements, as well as inserting malicious prompts into content posted to social media.
2: An unsuspecting user of an AI-enabled browser visits a page and uses the AI assistant function, such as 'summarize this page.'
3: When an AI agent processes a web page, it reads hidden instructions.
4: The AI agent follows the injected instructions and leaks the user's personal information.
Below is a video demonstrating the flow of an attack using the overseas message board Reddit as an example.
Open a Reddit page with Comet and use AI to summarize it.
Somehow, the attacker then accessed Perplexity's account information, revealing a section of the Reddit page that had been whited out, revealing instructions for Comet hidden in a hidden section.
Comet followed the suspicious instructions without question and posted the user's email address and authentication code on Reddit. This shows that AI agents built into browsers can follow instructions that would be considered suspicious by humans, just as they would follow instructions from users.
In response to this discovery, Brave suggests the following possible mitigations:
- Allows AI-powered browsers to distinguish between user instructions and content on websites.
Identify potentially unsafe actions and ensure they are consistent with the user request.
- Always get explicit permission from the user before performing any security or privacy related tasks.
- Allows browsers to separate browsing with AI agents from regular browsing.
Additionally, a study by security tool developer Guardio found that when Comet redirects users to 'fake online shops,' they enter their personal information and complete the purchase without verifying the website's legitimacy.
'Scamlexity': When Agentic AI Browsers Get Scammed
https://guard.io/labs/scamlexity-we-put-agentic-ai-browsers-to-the-test-they-clicked-they-paid-they-failed
Perplexity's Comet AI browser tricked into buying fake items online
https://www.bleepingcomputer.com/news/security/perplexitys-comet-ai-browser-tricked-into-buying-fake-items-online/
Brave also has an AI assistant called 'Leo,' and the company plans to publish a blog post explaining the security measures implemented in Leo.
Brave's AI assistant 'Leo' is now available on Android - GIGAZINE
in Software, Web Service, Video, Security, Posted by log1h_ik