updated To the surprise of no one in the security industry, processing untrusted, unvalidated input is a bad idea.

Until about a week ago, Perplexity's AI-based [1]Comet browser did just that – asked to summarize a web page, the AI-powered browser would ingest the text on the page, no questions asked, and process it.

And if the page text – visible or hidden – happened to include malicious instructions, Comet would attempt to comply, carrying out what's known as an indirect prompt injection attack.

[2]

Rival browser maker Brave, which has its own AI service called Leo, discovered the vulnerability when comparing Leo to other browser AI implementations, according to Artem Chaikin, senior mobile security engineer, and Shivan Kaul Sahib, VP of privacy and security.

[3]

[4]

"While looking at Comet, we discovered vulnerabilities which we reported to Perplexity, and which underline the security challenges faced by agentic AI implementations in browsers," said Chaikin and Sahib in a [5]blog post .

"The attack demonstrates how easy it is to manipulate AI assistants into performing actions that were prevented by long-standing web security techniques, and how users need new security and privacy protections in agentic browsers."

[6]

The basic issue is that artificial intelligence lacks intelligence – these models cannot, on their own, distinguish between a user's instructions and untrusted content on a web page.

[7]GenAI FOMO has spurred businesses to light nearly $40 billion on fire

[8]AI skeptics zone out when chatbots get preachy

[9]Anarchy in the AI: Trump's desire to supercharge US tech faces plenty of hurdles

[10]KPMG wrote 100-page prompt to build agentic TaxBot

Chaikin and Sahib recount how they created [11]a proof-of-concept attack consisting of malicious instructions posted to a Reddit page that were hidden behind a "spoiler" tag. Asked to summarize the page, Comet ingested the text on the page, saw the instructions, and then exfiltrated a one-time password granting access to the user's Perplexity account.

This is a well-known problem. Only last month, AI code editor Cursor [12]patched an indirect prompt injection vulnerability, an issue also seen in Google's [13]Gemini for Workspace AI assistant. And yet here we are, revisiting basic web security principles.

"This vulnerability in Perplexity Comet highlights a fundamental challenge with agentic AI browsers: ensuring that the agent only takes actions that are aligned with what the user wants," observed Chaikin and Sahib. "As AI assistants gain more powerful capabilities, indirect prompt injection attacks pose serious risks to web security."

Perplexity did not immediately respond to a request for comment.

[14]

While Brave reports that the flaw appears to have been fixed as of August 13, 2025, a Brave spokesperson said Perplexity did not share the patch and the browser's code is not open source. "We also cannot guarantee that Comet has completely fixed all possible prompt injection attacks," Brave's spokesperson said.

Asked whether Brave's Leo has had to deal with this issue, Brave's spokesperson said, "AI summarization in Leo cannot trigger the browser into acting as an agent and taking independent actions." ®

Updated to add at 2145 GMT on August 20, 2025

On Wednesday afternoon, Brave updated its [15]blog post to say that Perplexity has not yet fully mitigated the issue and that Brave has re-reported the problem.

Get our [16]Tech Resources



[1] https://www.theregister.com/2025/07/09/perplexity_comet_browser/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKZFd0QhL9a1kkOpVVaWhAAAABI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFd0QhL9a1kkOpVVaWhAAAABI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKZFd0QhL9a1kkOpVVaWhAAAABI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://brave.com/blog/comet-prompt-injection/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFd0QhL9a1kkOpVVaWhAAAABI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2025/08/18/generative_ai_zero_return_95_percent/

[8] https://www.theregister.com/2025/08/20/ai_moral_persuasion/

[9] https://www.theregister.com/2025/08/20/opinion_us_govt_ai/

[10] https://www.theregister.com/2025/08/20/kpmg_giant_prompt_tax_agent/

[11] https://vimeo.com/1111446047?fl=pl&fe=sh

[12] https://hiddenlayer.com/innovation-hub/how-hidden-prompt-injections-can-hijack-ai-code-assistants-like-cursor/

[13] https://hiddenlayer.com/innovation-hub/new-gemini-for-workspace-vulnerability/

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKZFd0QhL9a1kkOpVVaWhAAAABI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[15] https://brave.com/blog/comet-prompt-injection/

[16] https://whitepapers.theregister.com/