Perplexity Comet Browser Vulnerable to Exploit

A security flaw has been found in Perplexity’s Comet AI browser that could allow attackers to access private information from other active tabs.

According to a report released by Brave, the issue involves a vulnerability where a malicious prompt can be injected into the browser, giving attackers a way to view data from open sessions across different tabs.

Comet AI Browser Vulnerability

Brave has recently raised concerns about a critical flaw found in Perplexity’s Comet AI browser. The issue becomes apparent when a user makes use of the “Summarise this webpage” feature, which is designed to condense online content into a simpler overview. While the function appears harmless, it unfortunately opens the door to a serious security risk.

The problem arises because the Comet browser uses a large language model (LLM) to generate summaries. In doing so, the LLM reads not only the main content of the page but also any embedded prompts or instructions hidden within it. These embedded commands can then be misinterpreted by the AI as genuine actions, creating an opportunity for attackers to exploit.

Brave explained that this vulnerability exists because Comet does not make a clear distinction between trusted user input and potentially harmful instructions buried inside a webpage. Instead, the browser simply passes sections of the site directly to the LLM, treating all information equally. This lack of separation is what allows attackers to manipulate the system.

In practice, this means that an attacker could embed a piece of malicious text into a web page. If a user then asked Comet to summarise that page, the AI could treat the hidden instructions as a command. Once triggered, this could allow unauthorised access to data from other open browser tabs.

The seriousness of the flaw lies in how far the exploit can reach. For example, an attacker could insert code that directs Comet to retrieve sensitive information such as emails, personal documents, or even login details from a completely separate tab. This makes what should be a convenient feature a potential risk to online privacy and security.

Brave highlighted this by giving a specific example: an attacker could design a webpage with hidden instructions that tell Comet to open another tab and fetch personal messages or financial information. The AI would not be able to tell the difference between the user’s genuine request and the malicious hidden text.

Simon Willison’s Weblog reported on the matter and noted that Perplexity had already attempted to roll out a patch to fix the issue. However, the patch did not resolve the problem, meaning users remain vulnerable if they continue to rely on Comet’s summarisation feature.

The failure of the initial fix raises concerns about whether AI-driven browsers are currently ready to handle such complex security challenges. While AI promises greater convenience and productivity for web users, the Comet case highlights how quickly these benefits can turn into risks without robust safeguards in place.

Adding to the criticism, a developer took to X (formerly Twitter) to express disbelief that the issue had not received wider attention. They argued that people underestimate the potential risks of using AI browsers, stating bluntly that “you can literally get prompt injected” simply by doomscrolling through sites like Reddit.

The developer also warned that such vulnerabilities could, in the worst-case scenario, allow attackers to gain access to bank accounts or other highly sensitive information. This comment underlined how dangerous indirect prompt injection can be when it is left unchecked.

The broader lesson here is that AI tools embedded in browsers need to be treated with caution. Users may assume that features such as summarisation are safe and fully tested, but as Comet shows, there are still gaps in how these systems process and separate instructions.

For now, experts recommend that users remain cautious when relying on AI browsers, especially for tasks involving sensitive data. Until more reliable protections are in place, the convenience of features like automatic summaries should be weighed against the potential security risks they carry.