Perplexity Comet: A Critical Vulnerability Allows Hijacking of the AI Agent with Simple Hidden Text
As AI-driven web browsers, capable of acting on behalf of users, gain popularity, security remains a weak point for this technology. The security team at Brave has revealed a critical prompt injection vulnerability in Perplexity’s AI browser Comet, exposing users to significant risks of personal data leaks.
The Attack: A Simple Comment Can Hijack the AI Agent
The Comet AI browser relies on an AI assistant capable of summarizing web pages. However, the issue lies in the browser’s inability to clearly distinguish between user instructions and page content. Consequently, a malicious site can inject a hidden prompt directly into the content of a web page, which the AI will interpret and execute as a legitimate command.
For instance, a malicious comment on Reddit was used to force Comet to:
- Access Gmail,
- Retrieve a one-time password (OTP),
- And send it to the attacker.
Standard Protections Are Ineffective Against AI
According to researchers at Brave, this type of attack completely circumvents traditional web security mechanisms, such as the Same-Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS).
The AI agent operates with the user’s full privileges, granting it access to confidential emails, bank accounts, cloud storage, and even internal company interfaces.
Hackers can hide their instructions on a web page using white text on a white background or through CSS-hidden content. The AI, unable to distinguish between a malicious instruction and a normal request, executes the order without alerting the user.
OpenAI and Google Take Precautions
In light of this danger, OpenAI isolates its ChatGPT agent within a secured cloud browser, separate from personal browsers, while Google incorporates the Mariner agent exclusively into its services without exposing it directly in Chrome.
“The AI follows instructions from untrusted site content, rendering standard protections… ineffective,” states the Brave team.
Incomplete Patch: Perplexity Still Vulnerable
Brave reported the vulnerability to Perplexity in July 2025. Although a fix was deployed, recent tests indicate it is insufficient.
The prompt injection issue remains active, according to Brave researchers.
