Submission + - Perplexity Comet security flaw shows AI browsers are easily hijacked (nerds.xyz)
BrianFagioli writes: Brave researchers have revealed a troubling vulnerability in Perplexityâ(TM)s Comet that shows just how risky AI-powered browsers can be. The flaw, known as an indirect prompt injection, allowed attackers to trick the browser into carrying out hidden commands.
The research was led by Brave engineer Artem Chaikin and detailed with VP of Privacy and Security Shivan Kaul Sahib. They found that Comet could not tell the difference between a userâ(TM)s instructions and malicious text hidden inside a webpage. That oversight opened the door to serious account takeovers and data theft.
In their demonstration, a Reddit comment with invisible text instructed Comet to visit Perplexityâ(TM)s account page, grab the userâ(TM)s email, intercept a one-time password from Gmail, and then send the stolen data back to the attacker. Once the victim clicked âoesummarize page,â the AI did the rest automatically. No additional input was required from the user.
This kind of attack bypasses traditional web safeguards such as same-origin policy and CORS. Those protections normally prevent websites from stealing data across different domains, but when an AI assistant has full control of the browser, the rules break down. Because the AI operates with the full privileges of a logged-in user, it can move freely between services and access sensitive accounts without the user realizing what is happening.
The research was led by Brave engineer Artem Chaikin and detailed with VP of Privacy and Security Shivan Kaul Sahib. They found that Comet could not tell the difference between a userâ(TM)s instructions and malicious text hidden inside a webpage. That oversight opened the door to serious account takeovers and data theft.
In their demonstration, a Reddit comment with invisible text instructed Comet to visit Perplexityâ(TM)s account page, grab the userâ(TM)s email, intercept a one-time password from Gmail, and then send the stolen data back to the attacker. Once the victim clicked âoesummarize page,â the AI did the rest automatically. No additional input was required from the user.
This kind of attack bypasses traditional web safeguards such as same-origin policy and CORS. Those protections normally prevent websites from stealing data across different domains, but when an AI assistant has full control of the browser, the rules break down. Because the AI operates with the full privileges of a logged-in user, it can move freely between services and access sensitive accounts without the user realizing what is happening.
