- Perplexity’s Comet AI browser has a prompt injection flaw that lets hidden instructions hijack the assistant and leak data.
- A malicious Reddit comment tricked Comet into retrieving a Gmail OTP and revealing it to the attacker in the comment box.
- The flaw remains partly unpatched, which shows ongoing risks in agentic browsers and prompt injection attacks.
While AI companies are increasingly rolling out agentic browsers — web browsers that can perform tasks on a user’s behalf — there are glaring security issues one should not overlook. Brave’s security team has disclosed a critical prompt injection vulnerability in Perplexity’s Comet AI browser. This indirect prompt injection can easily misguide the AI Agent into revealing sensitive information.
In Perplexity’s Comet AI browser, when the AI Assistant is asked to summarize a webpage, it does not clearly separate the user’s trusted instruction from the page’s content. If a webpage contains malicious prompts, both are passed together to the AI model. This allows attackers to hijack the AI assistant and force it to perform harmful actions.
To demonstrate the security issue, Brave researchers showed how a Reddit page with a malicious comment could trick Comet’s assistant. Instead of simply summarizing the page, the AI followed hidden instructions, navigated to Gmail, retrieved a one-time password (OTP), and revealed it back to the attacker in the comment thread.
Since the AI agent has access to everything inside your browser, from Gmail to bank accounts, it can be easily manipulated with nothing more than a malicious, natural language prompt hidden on any webpage.
Brave researchers wrote, “This attack presents significant challenges to existing Web security mechanisms. When an AI assistant follows malicious instructions from untrusted webpage content, traditional protections such as same-origin policy (SOP) or cross-origin resource sharing (CORS) are all effectively useless.”
“The AI operates with the user’s full privileges across authenticated sessions, providing potential access to banking accounts, corporate systems, private emails, cloud storage, and other services.”
Researchers warn that websites may embed malicious instructions hidden in white text on a white background to make it invisible to human eyes, but visible to the AI agent. This way, AI agents can be easily hijacked and asked to perform harmful attacks. That’s why OpenAI has released its ChatGPT Agent in an isolated, cloud browser and doesn’t allow it to run on your local, personal browser.
Google, on the other hand, has taken a similar approach by integrating the Project Mariner AI agent across its products, rather than embedding it directly into Chrome. The risk of prompt injection is quite huge, and it remains one of the biggest challenges in the AI security field.
By the way, Brave’s team reported the issue to Perplexity in July 2025, and the Comet browser was patched within days. However, retesting proved that the patch was incomplete. According to Brave, the prompt injection issue in Perplexity’s Comet browser is not fully mitigated.
