Perplexity's Comet AI browser could expose your data to attackers - here's how

Screenshot by Lance Whitney/ZDNET

ZDNET's cardinal takeaways

• Perplexity's Comet browser could exposure your backstage data.
• An attacker could adhd commands to the punctual via a malicious website.
• The AI should dainty idiosyncratic information and website information separately.

Get much in-depth ZDNET AI coverage: Add america arsenic a preferred Google source on Chrome and Chromium browsers.

Agentic AI browsers are a blistery caller inclination successful the satellite of AI. Instead of you having to browse the web yourself to implicit circumstantial tasks, you archer the browser to nonstop its cause to transportation retired your mission. But depending connected which browser you use, you whitethorn beryllium opening yourself up to information risks.

In a blog station published Wednesday, the folks down the Brave browser (which offers its ain AI-powered adjunct dubbed Leo) pointed their corporate fingers astatine Perplexity's caller Comet browser. Currently available for nationalist download, Comet is built connected the premise of agentic AI, promising that your privation is its command.

Also: Why Perplexity is going aft Google Chrome - and yes, it's serious

Do you request to prime up a caller proviso of your favourite macromolecule portion astatine Amazon? Instead of doing it yourself, conscionable archer Comet to bash it for you.

OK, truthful what's the beef? First, there's surely an accidental for mistakes. With AI being truthful prone to errors, the cause could misinterpret your instructions, instrumentality the incorrect measurement on the way, oregon execute actions you didn't specify. The challenges multiply if you entrust the AI to grip idiosyncratic details, specified arsenic your password oregon outgo information.

But the biggest hazard lies successful however the browser processes the prompt's contents, and this is wherever Brave finds responsibility with Comet. In its ain demonstration, Brave showed however attackers could inject commands into the prompt done malicious websites of their ain creation. By failing to separate betwixt your ain petition and the commands from the attacker, the browser could exposure your idiosyncratic information to compromise.

Also: How to get escaped of AI Overviews successful Google Search: 4 casual ways

"The vulnerability we're discussing successful this post lies successful however Comet processes web leafage content," Brave said. "When users inquire it to 'Summarize this web page,' Comet feeds a portion of the web leafage straight to its LLM without distinguishing betwixt the user's instructions and untrusted contented from the web page. This allows attackers to embed indirect punctual injection payloads that the AI volition execute arsenic commands. For instance, an attacker could summation entree to a user's emails from a prepared portion of substance successful a leafage successful different tab."

To date, determination are nary known examples of specified attacks successful the wild.   

Brave said the onslaught demonstrated successful Comet shows that traditional web security isn't capable to support radical erstwhile utilizing agentic AI. Instead, specified agents request caller types of information and privacy. With that extremity successful mind, Brave recommended that respective measures beryllium implemented.

The browser should separate betwixt idiosyncratic instructions and website content. The browser should abstracted the requests submitted by a idiosyncratic astatine the punctual from the contented delivered astatine a website. With a malicious tract ever a possibility, this contented should ever beryllium treated arsenic untrusted.

The AI exemplary should guarantee that tasks align with the user's request. Any actions submitted to the punctual should beryllium checked against those submitted by the idiosyncratic to guarantee alignment.

Also: Scammers person infiltrated Google's AI responses - however to spot them

Sensitive information and privateness tasks should necessitate idiosyncratic permission. The AI should ever necessitate a effect from the idiosyncratic earlier moving immoderate tasks that impact information oregon privacy. For example, if the cause is told to nonstop an email, implicit a purchase, oregon log successful to a site, it should archetypal inquire the idiosyncratic for confirmation.

The browser should isolate agentic browsing from regular browsing. Agentic browsing mode carries immoderate risks, arsenic the browser tin work and nonstop emails oregon presumption delicate and confidential information connected a website. For that reason, agentic browsing mode should beryllium a wide choice, not thing the idiosyncratic tin entree accidentally oregon without knowledge.

With Brave uncovering responsibility with Comet, however has Perplexity responded? Here, I'm conscionable going to stock the timeline of events arsenic described by Brave.

• July 25, 2025: Vulnerability discovered and reported to Perplexity.
• July 27, 2025: Perplexity acknowledged the vulnerability and implemented an archetypal fix.
• July 28, 2025: Retesting revealed the hole was incomplete; further details and comments were provided to Perplexity.
• August 11, 2025: One-week nationalist disclosure announcement sent to Perplexity.
• August 13, 2025: Final investigating confirmed the vulnerability appears to beryllium patched.
• August 20, 2025: Public disclosure of vulnerability details (Update: connected further investigating aft this blog station was released, we learned that Perplexity inactive hasn't afloat mitigated the benignant of onslaught described here. We've re-reported this to them.)

Now, the shot is backmost successful Perplexity's court. I contacted the institution for remark and volition update the communicative with immoderate response.

Also: The champion unafraid browsers for privacy: Expert tested

"This vulnerability successful Perplexity Comet highlights a cardinal situation with agentic AI browsers: ensuring that the cause lone takes actions that are aligned with what the idiosyncratic wants," Brave said. "As AI assistants summation much almighty capabilities, indirect punctual injection attacks airs superior risks to web security."