By Swastika Sahu
Security researchers at the privacy-focused browser company Brave have revealed a vulnerability in Perplexity’s newly launched agentic AI browser, Comet, that could allow attackers to exploit indirect prompt injections and steal sensitive user data, including emails, banking passwords, and personal details, by manipulating how the browser interprets webpage content during tasks such as summarization.
Perplexity describes Comet as a tool that redefines how businesses engage with the web, blending enterprise-level security with advanced AI features and a user-friendly design.
The browser struggles to distinguish genuine user instructions from untrusted webpage content, allowing attackers to conceal malicious prompts within a site that Comet may mistakenly interpret and execute as user commands.
Comet is said to be the first web browser to put an AI agent at the core of the search experience. But this new approach has also sparked security and privacy concerns, since it requires extensive access to sensitive data from active user sessions. In Comet’s case, the AI agent can only draw information and context from platforms where the user is already logged in.
To highlight the risks, Brave researchers planted a malicious command in a Reddit post that could hijack a Comet user’s Perplexity account if they requested a page summary. Ironically, while endless scrolling on social media is usually dismissed as a harmless time sink, relying on Comet’s summarization tool in this case carried far more serious dangers.
The research took things a step further. By demonstrating that Comet could be persuaded to purchase a counterfeit Apple Watch from a website that most human users would instantly recognize as a likely scam. It also revealed that Comet would readily process an obviously fraudulent phishing email, proceed to the malicious site, and even prompt its user to enter banking details, without offering any signal that something suspicious was happening.
To address the issue, Brave recommended that Perplexity update the Comet browser so the AI agent can clearly distinguish between the user’s instructions and the website’s content before passing them on as context to the model.
“Based upon the task and the context, the model comes up with actions for the browser to take; these actions should be checked for alignment against the user’s requests,” the company said.
Comet is available only to Perplexity’s Pro and Enterprise Pro subscribers, meaning both individuals and businesses pay to use the browser. In exchange, however, they ended up with a product filled with security flaws, weaknesses that were uncovered by independent organizations, one of which is Brave, which chose to disclose the issues to the company and the public rather than exploit them for their own gain.
Cybersecurity firm Cloudflare Inc. has also alleged that Perplexity was gathering data from websites by bypassing safeguards meant to prevent such activity. Perplexity, however, contends that its AI assistant is not actively crawling the web but instead visiting specific sites at a user’s request, and therefore should not be held to the same standards.