Security researchers at Brave Software discovered a serious vulnerability within the AI-powered web browser Perplexity Comet from web search engine developer Perplexity. The flaw lies in indirect prompt injection, a method that allows malicious instructions hidden in web pages to be interpreted as trusted commands. This discovery highlights growing risks posed by agentic browsing technologies when integrated into consumer-facing products.
Security Risk of AI Browsers: Security Researchers at Brave Software Discovered Prompt Injection Vulnerability in Perplexity Comet
Background on Agentic Browsing and Perplexity Comet
Agentic browsing refers to artificial intelligence systems or AI agents that not only summarize web content but also autonomously interact with online platforms. Unlike conventional summarization, these tools can click links, log into websites, and act within authenticated sessions. Such capabilities make them valuable for productivity, yet simultaneously expand the scope of potential security and privacy threats.
Perplexity Comet is an agentic browsing assistant that extends beyond simple summarization by autonomously navigating and interacting with websites. It can follow links, access authenticated sessions, and perform actions on behalf of users. Designed to increase productivity, the browser leverages a language model to interpret instructions, though this capability introduces complex security and privacy risks.
Brave Software discovered that Perplexity Comet improperly handled webpage content by passing it directly to the underlying language model without reliably distinguishing user instructions from untrusted or dubious page texts. This design flaw created an opportunity for attackers to conceal instructions inside ordinary webpage content. The system then misinterpreted these hidden texts as legitimate requests from users.
Explaining What Prompt Injection Vulnerability Is
Attackers can embed malicious prompts in multiple ways. Examples included invisible texts that are blended in the background, HTML comments, or hidden elements such as spoiler tags in online forums. These hidden instructions are ingested alongside visible content once included in a page. The model then processes them without differentiation, enabling attackers to manipulate browsing agents into executing harmful actions.
The attack flow outlined by researchers at Brave Software progresses through four stages: setup, trigger, injection, and exploit. First, an attacker plants hidden prompts. Next, the user requests a summary. Third, the language model processes hidden instructions. Finally, the AI agent executes unauthorized cross-domain actions, such as accessing sensitive information or exfiltrating data across different online platforms.
A proof-of-concept created by the researchers demonstrated how this attack could unfold. Hidden within a Reddit spoiler tag, malicious instructions directed Perplexity Comet to open the account pages associated with a particular user of the AI-powered web browser, request an authentication code, retrieve it from the Gmail account of the same user, and post it back to the attacker. This enables a complete takeover of the user account.
The proof-of-concept further used subtle tricks to circumvent safety and security checks. One example was adding a trailing dot to a domain name to confuse domain validation while still pointing to the same site. This allowed the agent to treat slightly modified domains as legitimate, highlighting the fragility of safeguards when language models serve as intermediaries for browsing operations and website interactions.
Established web defenses, such as the same-origin policy and cross-origin restrictions, fail in this context. Because agentic browsing acts with the privileges of a logged-in user, natural language instructions, particularly when fed to a language model, can sidestep longstanding browser security assumptions, thus enabling attackers to access private data and credentials across multiple domains once instructions are successfully injected.
The scope of potential consequences is broad. Attackers could exploit the flaw to access corporate systems, online banking portals of individuals, cloud storage, or private communications. Because hidden prompts can be embedded in ordinary user-generated content, even benign platforms like email messages, social media platforms, or online discussion forums could unknowingly serve as launching points for significant attacks.
Recommendations From Brave Software Researchers
Researchers proposed several mitigations to prevent similar vulnerabilities. These include treating webpage content as untrusted, separating it from explicit user instructions, and conducting alignment checks between planned agent actions and original user requests. Agentic browsing assistants remain susceptible to hidden malicious commands embedded within everyday online interactions without these measures.
Additional safeguards recommended by the security researchers involve requiring explicit user confirmation for sensitive operations. These include accessing emails or sending messages. Isolating agentic browsing from ordinary browsing is equally critical. Deliberate entry into agentic modes, with restricted permissions and visible user cues, would minimize unintended exposure to hidden malicious prompts.
Note that Brave Software first reported the issue on 25 July 2025. Perplexity responded quickly with an initial fix by July 27. However, subsequent retesting revealed that the patch remained incomplete. A public disclosure followed on August 20, after Brave determined risks persisted despite attempted mitigation. Researchers stressed that classical web security models are not sufficient for agentic browsing systems.
FURTHER READING AND REFERENCE
- Brave Software. 20 August 2025. “Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet.” Blog. Brave Software. Available online