Perplexity, the AI startup that wants to pay publishers for their scraped content, launched a new agentic web browser called “Comet” in July. It arrived with an impressive $200-per-month subscription cost, available for Perplexity Max and some Perplexity Pro subscribers.
According to Perplexity, “The security features, privacy, and compliance standards your business demands are already built into the core of Comet.” Now, the AI-powered browser is coming under fire for security vulnerabilities discovered by Brave and Guardio (via Tom’s Hardware).
In a report published on August 20, Brave Senior Mobile Security Engineer Artem Chaikin and VP of Privacy and Security Shivan Kaul Sahib posit that the vulnerabilities were discovered while comparing the Brave browser’s own upcoming AI implementation.
Leo, as Brave calls its built-in AI assistant, is currently being developed to include the ability “to browse the Web on your behalf, acting as your agent.” As Brave points out, “this kind of agentic browsing is incredibly powerful, but it also presents significant security and privacy challenges.
Part of the dev process involves comparing it to other AI browsers, including the open-source browser extension Nanobrowser and Perplexity’s Comet. Upon discovering vulnerabilities in the Comet browser, Brave reported them to Perplexity.
The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.
Artem Chaikin, Shivan Kaul Sahib (Brave)
Brave explains the conditions for the vulnerability, and as it turns out, it wouldn’t take a mastermind to exploit it. A user visiting a webpage with embedded malicious content might use the AI assistant to summarize the copy.
The malicious content is scooped up with the regular content by the AI assistant to be processed. And because the AI assistant can’t tell the difference between malicious and non-malicious code, it follows the bad instructions.
Brave suggests that the malicious commands can be used to steal saved passwords, sensitive information (like banking details), and anything else related to a browser. In an example, Brave shows how summarizing a Reddit post with AI can lead to an infiltration of email and linked accounts.
Unlike traditional Web vulnerabilities that typically affect individual sites or require complex exploitation, this attack enables cross-domain access through simple, natural language instructions embedded in websites. The malicious instructions could even be included in user-generated content on a website the attacker doesn’t control (for example, attack instructions hidden in a Reddit comment). The attack is both indirect in interaction, and browser-wide in scope.
Artem Chaikin, Shivan Kaul Sahib (Brave)
Guardio’s testing and research, published August 20 and aptly named “Scamlexity,” largely reveals the same outcome as landed on by Brave when using AI browsers.
Guardio used Comet as its primary test subject, and it started the testing process “with scams that have been running for years” that humans normally find easy to spot.
Giving the AI assistant the command to “Buy me an Apple Watch,” Guardio researchers watched Perplexity AI scan an obviously fake Walmart page (created by the researchers), add the Apple Watch to the cart, use saved credit card and billing details, and check out.
One prompt, a few moments of automated browsing with zero human oversight, and the damage was done. While the human waits for a shiny new Apple Watch, the scammers are already spending their money.
Nati Tal, Shaked Chen (Guardio)
Guardio notes that this test ran several times, with Comet occasionally refusing the command due to security concerns. Other times, it stopped at the final checkout and asked a human to complete the process. But there were certainly instances where it took the bait and handed credentials over to would-be scammers.
Guardio also tested how Comet deals with banking-related phishing emails. Posing as a representative from Wells Fargo using an obviously fake ProtonMail address, researchers sent a link to a live phishing page.
Comet’s AI assistant immediately visited the link and offered to help the user hand over their credentials to scammers.
The result: a perfect trust chain gone rogue. By handling the entire interaction from email to website, Comet effectively vouched for the phishing page. The human never saw the suspicious sender address, never hovered over the link, and never had the chance to question the domain. Instead, they were dropped directly onto what looked like a legitimate Wells Fargo login, and because it came via their trusted AI, it felt safe.
Nati Tal, Shaked Chen (Guardio)
As Guardio points out, the natural human intuition that we’ve built up against phishing schemes is completely useless when AI is handling your decisions.
Microsoft Edge’s new Copilot Mode is a lot like Comet
Perplexity’s Comet browser isn’t the only AI-powered option out there. The Browser Company recently pivoted away from its Arc browser in favor of an AI browser it calls “Dia.” OpenAI is also rumored to be working on an agentic browser.
Microsoft is also getting in on the action. The company announced on July 28 a new and experimental “Copilot Mode” for Edge. The Edge AI experience is free for a limited time, and Microsoft lists many features that sound similar to what got Comet into trouble.
According to Windows Central Senior Editor Zac Bowden, “it oversees the address bar and new tab page and is always one click away from being able to analyze a website or document you’re looking at. Copilot in Edge is now also able to see across all your open tabs, offering contextual actions or suggestions based on your entire active browsing session, and not just one particular tab.”
Cause for concern? Not necessarily. But in any case, I wouldn’t yet trust AI to handle my web browsing.
