When Perplexity AI unveiled its Comet browser, it was pitched as the next evolution of web navigation: an agentic browsing tool that could read, summarize, and act on information across the internet on a user’s behalf. But just weeks after launch, Brave researchers revealed a critical flaw that turned Comet into a liability.
The vulnerability wasn’t a bug in the traditional sense. Instead, it was a new kind of attack unique to AI-powered systems: indirect prompt injection. By hiding malicious instructions inside seemingly harmless web content—like a Reddit spoiler tag—attackers could trick Comet into following their commands, not the user’s.
Also read: Perplexity CEO Aravind Srinivas thinks Google Search and Chrome browser are doomed: Here’s why
Brave’s security team discovered that Comet blurred the line between user instructions and website content. In one proof-of-concept, a Reddit post embedded a hidden command that instructed Comet to retrieve a user’s one-time password and forward it elsewhere. In effect, attackers could hijack a browsing session without ever touching the user’s machine.
Unlike phishing emails or malware, which often rely on tricking the user, this technique tricked the AI agent itself. Users simply had to visit a page, and Comet could be manipulated into performing harmful actions behind the scenes.
Brave reported the flaw to Perplexity on July 25, 2025. Within two days, Perplexity issued a patch. But when Brave retested, the vulnerability persisted. A back-and-forth ensued, and by August 13, Perplexity claimed to have fixed the issue.
Brave’s August 20 disclosure, however, came with a caveat: the fix appeared incomplete. Researchers still identified ways to exploit Comet, suggesting the underlying security model wasn’t robust enough for the new risks introduced by agentic browsing.
Traditional web security assumes the browser acts deterministically, enforcing sandboxing, permission boundaries, and clear user intent. Comet’s AI agent broke that assumption. Since the AI could interpret and act on natural language, attackers could slip in malicious commands disguised as part of the page.
Brave highlighted several gaps:
Also read: Meet Comet, Perplexity’s new AI browser: How’s it different?Perplexity CEO Aravind Srinivas thinks Google Search and Chrome browser are doomed: Here’s why
In short, the AI was too trusting of text it encountered online.
The Comet incident underscores a larger truth: AI-assisted browsing changes the threat landscape. A single injected sentence can alter how the AI agent behaves across domains, pulling data from authenticated sessions or triggering unintended actions.
It also highlights the opacity of closed systems. Unlike Brave’s Leo assistant, which has a security model built into an open-source browser, Comet remains proprietary—making it harder for independent researchers to verify fixes.
Brave suggests several remedies: separating user instructions from web data, building stronger alignment checks, and treating agentic browsing as a privileged mode that demands strict isolation. But even these are “necessary, not sufficient.” The broader challenge is rethinking security for AI systems that don’t just display the web—they act on it.
For Perplexity, the Comet breach is a reminder that the AI race isn’t just about speed or features. It’s about trust. And if AI browsers are going to become the default way we navigate the internet, that trust will be the hardest feature to engineer.
Also read: Edge, Neon, Comet, Arc: Top AI-powered browsers you must try
