Perplexity's AI Browser Comet Vulnerable To Prompt Injection Attacks That Hijack User Accounts
(Monday August 25, 2025 @05:40PM (msmash)
from the enterprise-grade-red-flags dept.)
- Reference: 0178857326
- News link: https://it.slashdot.org/story/25/08/25/1654220/perplexitys-ai-browser-comet-vulnerable-to-prompt-injection-attacks-that-hijack-user-accounts
- Source link:
Security researchers have uncovered critical vulnerabilities in Perplexity's Comet browser that enable attackers to hijack user accounts and execute malicious code through the browser's AI summarization features. The flaws, discovered independently by Brave and Guardio Labs, exploit indirect prompt injection attacks that bypass traditional web security mechanisms when users request webpage summaries.
Brave [1]demonstrated account takeover through a malicious Reddit post that compromised Perplexity accounts when summarized. The vulnerability allows attackers to embed commands in webpage content that the browser's large language model executes with full user privileges across authenticated sessions.
Guardio's testing found the browser would [2]complete phishing transactions and prompt users for banking credentials without warning indicators. The paid browser, available to Perplexity Pro and Enterprise Pro subscribers since July, processes untrusted webpage content without distinguishing between legitimate instructions and attacker payloads.
[1] https://brave.com/blog/comet-prompt-injection/
[2] https://guard.io/labs/scamlexity-we-put-agentic-ai-browsers-to-the-test-they-clicked-they-paid-they-failed
Brave [1]demonstrated account takeover through a malicious Reddit post that compromised Perplexity accounts when summarized. The vulnerability allows attackers to embed commands in webpage content that the browser's large language model executes with full user privileges across authenticated sessions.
Guardio's testing found the browser would [2]complete phishing transactions and prompt users for banking credentials without warning indicators. The paid browser, available to Perplexity Pro and Enterprise Pro subscribers since July, processes untrusted webpage content without distinguishing between legitimate instructions and attacker payloads.
[1] https://brave.com/blog/comet-prompt-injection/
[2] https://guard.io/labs/scamlexity-we-put-agentic-ai-browsers-to-the-test-they-clicked-they-paid-they-failed
Yeah, Maybe Don't Do That (Score:4, Insightful)
by Gilmoure ( 18428 )
Letting a massive subsystem with repeatedly demonstrated minimal guard rails process unvetted content is kinda stupid.
Re: (Score:2)
by gweihir ( 88907 )
No "kinda" in there. This is full-on stupid on an advanced level.
I use Perplexity (Score:2)
by MpVpRb ( 1423381 )
I find it to be the most useful of all AIs I've tried
I downloaded Comet and never found a use for its fancy features
I would advise Perplexity to stick to what they're good at and abandon the browser project
Browsyour (Score:2)
by awwshit ( 6214476 )
Get Browsyour today and browse other people's browsing.
Water is wet... (Score:2)
by shellster_dude ( 1261444 )
Turns out mixing your command and data pathways and then allowing untrusted data is dangerous. In other equally as shocking news, water is wet, fire is hot, and taxes are rolling around again.
JFC (Score:2, Insightful)
> The paid browser, available to Perplexity Pro and Enterprise Pro subscribers since July, processes untrusted webpage content without distinguishing between legitimate instructions and attacker payloads.
How fucking stupid can people be to make software behave this poorly? The more we have this AI vibe-coded dullwit thinking, the more we get hurt.
Re: (Score:3)
Perl has had the concept of "tainted" data for decades now. You have to sanitize the data before using it. Seems like it would be a no-brainer to mark all data obtained from the web as tainted and refuse to use it as instructions.
Re: (Score:2)
It is a no-brainer. This approach gets taught in software security courses (at least in mine, but I would expect most/all others do it as well). The problem is people writing security critical code that have no clue about software security. That is cheap, but does not work and cannot work.
Re: (Score:2)
It's a little more complicated than that. When they load the page to be summarized, it gets put into the LLM's context. However in practice, ‘context’ is just the working prompt. Despite all the wording on the front end, an LLM has no concept of 'memory'. They groundhog day after every interaction. So in the background the prompt, any data you pull in (except with RAG, where the model still has no memory but gets fed fresh lookups each turn.), and the model's previous outputs all get combined i
Re: (Score:2)
In case you've not been following tech news for the last year or so, this is a vulnerability of ALL LLMs. It's not like vulnerabilities didn't exist before AI.
I was actually a beta tester for Comet (external, just a privileged user with early access tbh, though I got to talk to their product people). While the browser itself is okay (I stopped using it after a couple of weeks), I was very disturbed by their CEO's attitude toward privacy, with a stated intention to build the most comprehensive view of each u