Home » Feature Story » General » Comet AI browser hacked: How attackers breached Perplexity’s AI agent

Comet AI browser hacked: How attackers breached Perplexity’s AI agent

By Vyom Ramani | Updated on 25-Aug-2025
HIGHLIGHTS

Brave exposes Comet browser flaw, Perplexity’s AI vulnerable to hidden prompt injections

Attackers exploited Comet AI to steal credentials through malicious embedded web commands

Perplexity Comet security breach highlights urgent risks of agentic browsing and AI misuse

Comet AI browser hacked: How attackers breached Perplexity’s AI agent
Vyom Ramani Vyom Ramani
25-Aug-2025

When Perplexity AI unveiled its Comet browser, it was pitched as the next evolution of web navigation: an agentic browsing tool that could read, summarize, and act on information across the internet on a user’s behalf. But just weeks after launch, Brave researchers revealed a critical flaw that turned Comet into a liability.

Digit.in Survey
✅ Thank you for completing the survey!

The vulnerability wasn’t a bug in the traditional sense. Instead, it was a new kind of attack unique to AI-powered systems: indirect prompt injection. By hiding malicious instructions inside seemingly harmless web content—like a Reddit spoiler tag—attackers could trick Comet into following their commands, not the user’s.

Add As A Trusted Source For Google.
icon Add as a preferred source on Google

Also read: Perplexity CEO Aravind Srinivas thinks Google Search and Chrome browser are doomed: Here’s why

The exploit

Brave’s security team discovered that Comet blurred the line between user instructions and website content. In one proof-of-concept, a Reddit post embedded a hidden command that instructed Comet to retrieve a user’s one-time password and forward it elsewhere. In effect, attackers could hijack a browsing session without ever touching the user’s machine.

Unlike phishing emails or malware, which often rely on tricking the user, this technique tricked the AI agent itself. Users simply had to visit a page, and Comet could be manipulated into performing harmful actions behind the scenes.

Brave reported the flaw to Perplexity on July 25, 2025. Within two days, Perplexity issued a patch. But when Brave retested, the vulnerability persisted. A back-and-forth ensued, and by August 13, Perplexity claimed to have fixed the issue.

Brave’s August 20 disclosure, however, came with a caveat: the fix appeared incomplete. Researchers still identified ways to exploit Comet, suggesting the underlying security model wasn’t robust enough for the new risks introduced by agentic browsing.

Why existing safeguards fell short

Traditional web security assumes the browser acts deterministically, enforcing sandboxing, permission boundaries, and clear user intent. Comet’s AI agent broke that assumption. Since the AI could interpret and act on natural language, attackers could slip in malicious commands disguised as part of the page.

Brave highlighted several gaps:

  • No strong separation between user prompts and untrusted content.
  • No consistent user alignment checks to verify if actions matched what the human intended.
  • Insufficient confirmation mechanisms for sensitive operations, like sending emails or bypassing warnings.

Also read: Meet Comet, Perplexity’s new AI browser: How’s it different?Perplexity CEO Aravind Srinivas thinks Google Search and Chrome browser are doomed: Here’s why

In short, the AI was too trusting of text it encountered online.

Bigger implications for AI browsers

The Comet incident underscores a larger truth: AI-assisted browsing changes the threat landscape. A single injected sentence can alter how the AI agent behaves across domains, pulling data from authenticated sessions or triggering unintended actions.

It also highlights the opacity of closed systems. Unlike Brave’s Leo assistant, which has a security model built into an open-source browser, Comet remains proprietary—making it harder for independent researchers to verify fixes.

Brave suggests several remedies: separating user instructions from web data, building stronger alignment checks, and treating agentic browsing as a privileged mode that demands strict isolation. But even these are “necessary, not sufficient.” The broader challenge is rethinking security for AI systems that don’t just display the web—they act on it.

For Perplexity, the Comet breach is a reminder that the AI race isn’t just about speed or features. It’s about trust. And if AI browsers are going to become the default way we navigate the internet, that trust will be the hardest feature to engineer.

Also read: Edge, Neon, Comet, Arc: Top AI-powered browsers you must try

Vyom Ramani

Vyom Ramani

A journalist with a soft spot for tech, games, and things that go beep. While waiting for a delayed metro or rebooting his brain, you’ll find him solving Rubik’s Cubes, bingeing F1, or hunting for the next great snack. View Full Profile

Most Searched Mobile Phones
Latest Mobile Phones
Mobile Recharge Plans
Most Searched Laptops
Trending Movies & Web Series
Movies & Web Series
  • icon
  • icon
  • icon
  • icon
SUBSCRIBE Subscribe for the industry's biggest tech news
Enter your email to get notified about our new solutions
By submitting your email, you agree to our
Terms and Privacy Notice.
CONNECT WITH US
© 2025 Digit.in, All rights reserved
  • icon
  • icon
  • icon
  • icon
icon
© 2025 Digit.in, All rights reserved
Digit.in
Logo
Digit.in
Logo