Perplexity’s latest AI-driven web browser, Comet, is under scrutiny after security experts discovered a vulnerability that could expose sensitive user information to attackers. The flaw, reported by researchers at Brave—a privacy-focused search engine and browser—suggests that malicious actors can exploit prompt injection attacks to trick the browser’s AI agent into carrying out harmful commands.

The Vulnerability Explained

According to Brave’s report dated August 20, the issue lies in how Comet processes webpage content when responding to user instructions such as “summarise this webpage.” Unlike traditional browsers, Comet uses an embedded AI agent that not only analyzes text but also acts on it. Researchers found that the browser fails to properly separate genuine user instructions from hidden commands planted in webpage content.

Brave’s blog post warned: “For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.”

This means attackers could stealthily embed malicious prompts within web content, which the AI might execute as if they were user requests. These prompts could be hidden in HTML comments, invisible elements, Reddit threads, or social media posts, making them nearly impossible for users to detect.

Why It Matters Now

The discovery comes at a time when AI-first browsers like Comet are rapidly gaining popularity. With a fundamental shift in how users search and interact online, browsers powered by AI agents promise convenience—automating tasks like travel bookings, online shopping, or email management.

However, this deeper integration also poses new security challenges. Unlike traditional exploits, AI vulnerabilities can manipulate agents into cross-domain access, potentially exposing banking details, personal emails, and even authentication codes.

Perplexity’s Response and Brave’s Testing

When contacted, Perplexity spokesperson Jesse Dwyer told The Indian Express: “The vulnerability is fixed. We worked directly with Brave to identify and repair the vulnerability.”

Despite this reassurance, Brave maintained that further testing showed the issue still persists. The company clarified that no active exploitation cases have been reported yet but emphasized the ease with which attackers could potentially abuse the flaw.

The danger, researchers noted, is that the AI assistant might inadvertently visit banking websites, extract saved passwords, or even leak OTPs. In a worst-case scenario, attackers could instruct Comet to publicly post sensitive user data, such as replying with stolen information on Reddit.

Suggested Fixes

Brave recommended Perplexity redesign how Comet processes user queries versus webpage content. The report urged the company to ensure that:

• AI agents must separate user instructions from site data.
• Any actions involving sensitive information require explicit user approval.
• Security checks align AI-driven actions strictly with the user’s intent.

As Brave explained: “Based upon the task and the context, the model comes up with actions for the browser to take; these actions should be checked for alignment against the user’s requests. No matter the prior agent plan and tasks, the model should require explicit user interaction for security and privacy-sensitive tasks.”

The Road Ahead

While Comet positions itself as a first-of-its-kind AI browser offering intelligent search and task automation, this episode highlights the risks of entrusting autonomous AI systems with highly sensitive user data. The findings serve as a reminder that as browsers evolve into AI-driven assistants, security and privacy must evolve alongside them.