Perplexity’s Comet AI browser had a major security flaw that exposed sensitive user data through a loophole in its AI-powered summarization feature.
Quick Summary – TLDR:
- Brave researchers uncovered a vulnerability in Perplexity’s Comet browser involving indirect prompt injection
- The flaw allowed attackers to steal emails, passwords, OTPs, and even banking data
- Comet failed to distinguish between user commands and hidden webpage content
- Perplexity confirmed the issue is now fixed after direct collaboration with Brave
What Happened?
A serious security vulnerability was discovered in Comet, the AI-powered browser developed by Perplexity. The flaw, uncovered by researchers at Brave, enabled attackers to use indirect prompt injection techniques to access users’ private data, including emails and banking credentials. Comet has since resolved the issue after working with Brave’s security team.
Comet Browser’s AI Left Users Exposed
Perplexity’s Comet browser is designed to assist users by using AI to perform tasks like summarizing content, managing emails, and even answering questions about open tabs. But this convenience came at a major cost.
Brave’s researchers found that when a user clicked “Summarize this webpage,” Comet would feed the webpage content directly to its large language model (LLM). The issue? It treated all content, including hidden or malicious text embedded by attackers, as legitimate instructions.
This led to a form of attack called indirect prompt injection, where hackers could embed commands into webpages that tricked the browser into executing unauthorized actions.
Real-World Exploits Were Demonstrated
To demonstrate the flaw, Brave created scenarios using sites like Reddit or Facebook where malicious text was hidden in plain sight. Comet’s AI then:
- Extracted users’ email addresses
- Requested one-time passwords (OTPs) from services like Gmail
- Logged into accounts without user consent
- Retrieved and sent sensitive data to attacker-controlled servers
According to Brave, traditional browser protections like same-origin policy (SOP) and cross-origin resource sharing (CORS) were ineffective against this type of AI-driven manipulation.
How Brave Handled the Disclosure
Brave first reported the issue to Perplexity on 11 August 2025, but by the time Brave published its blog post on 20 August, the flaw remained unresolved. However, Perplexity later confirmed to CNET that the vulnerability had been patched.
AI agents that can browse the Web and perform tasks on your behalf have incredible potential but also introduce new security risks.
— Brave (@brave) August 20, 2025
We recently found, and disclosed, a concerning flaw in Perplexity’s Comet browser that put users’ accounts and other sensitive info in danger. pic.twitter.com/kwYTrwgznO
Jesse Dwyer, Perplexity’s head of communications, said, “This vulnerability is fixed…We have a pretty robust bounty program, and we worked directly with Brave to identify and repair it.”
Even after the fix, Brave continued to test Comet for further vulnerabilities and recommended safeguards to prevent such incidents in the future.
Brave’s Recommendations for Future Safety
To mitigate similar risks going forward, Brave shared several technical suggestions:
- Separate webpage content from user instructions to avoid misinterpretation
- Check for alignment between user intent and AI behavior before executing tasks
- Ask for confirmation before performing actions involving privacy or security
- Maintain a clear boundary between AI-driven and regular browsing tasks
A Wake-Up Call for AI Browsing
This incident highlights the growing security risks of AI-powered tools. While agentic browsers like Comet aim to revolutionize how users interact with the web, they also introduce new avenues for cyberattacks.
As more users turn to AI for daily browsing and automation, ensuring that these systems understand the difference between a human command and manipulated content is essential.
SQ Magazine Takeaway
Honestly, this one is a little scary. I love the idea of AI making our browsing smarter and more efficient, but security should never come second. Comet’s flaw wasn’t just a minor bug. It was a reminder that the more autonomy we give these tools, the more carefully we need to watch how they behave. I’m glad Perplexity moved fast to fix it, but I’d still recommend users keep a close eye on what permissions these AI tools have and stay alert when using any agentic browser. The smarter the browser, the higher the stakes.
