Recently, the Comet browser, an AI-based browser developed by Perplexity, was found to have a critical security vulnerability that allows it to process unverified input. This vulnerability enables the browser to accept and process text on web pages, including hidden malicious instructions, when requesting summaries of web content. This type of attack is known as an indirect prompt injection attack.
Image source note: The image was generated by AI, and the image licensing service is Midjourney
The discoverer of this vulnerability is the security team from Brave browser, a competitor. While comparing their own AI service Leo with the AI implementations of other browsers, they noticed security issues in Comet. Artem Chaikin, a senior mobile security engineer at Brave, and Shivan Kaul Sahib, Vice President of Privacy and Security, mentioned in a blog post: "We discovered these vulnerabilities while researching Comet and reported them to Perplexity, which highlights the security challenges faced by proxy AI implementations in browsers."
They stated that this vulnerability shows that artificial intelligence cannot distinguish between user commands and untrusted content on web pages on its own. Chaikin and Sahib further explained that they created a proof-of-concept attack example where malicious instructions were hidden behind a "spoiler" tag on a Reddit page. When Comet was requested to summarize the page, it retrieved these instructions and successfully extracted a one-time password, thereby gaining access to the user's Perplexity account.
This issue is not new. Previously, the AI code editor Cursor also fixed a similar indirect prompt injection vulnerability, and Google's Gemini for Workspace AI assistant had faced similar issues. This has brought basic cybersecurity principles back into focus. Chaikin and Sahib pointed out: "The vulnerability in Perplexity Comet highlights the fundamental challenges faced by proxy AI browsers: ensuring that the proxy only performs actions consistent with the user's intent."
Perplexity has not yet responded to the status of the vulnerability's fix. Although Brave reported that the vulnerability was fixed on August 13, 2025, a Brave spokesperson said that Perplexity did not share the fix, and its code is not open source. They also said that it cannot be guaranteed that Comet has completely fixed all possible prompt injection attacks. As for whether Brave's Leo has experienced similar issues, the spokesperson said that Leo's AI summary function cannot trigger the browser to perform independent operations on behalf of the user.
Key Points:
🌐 Vulnerability Discovered: The Comet browser from Perplexity has a security vulnerability that processes malicious input, leading to indirect prompt injection attacks.
🔧 Fix Status: Brave reported that the vulnerability has been fixed, but it has not fully resolved all possible prompt injection attacks.
🔍 Security Alert: This incident reminds users to pay attention to security and privacy protection when using proxy AI browsers.
