Security researchers have found a serious vulnerability in Comet, the newly launched AI-powered browser from Perplexity. The flaw, known as a prompt injection attack, allows malicious websites to steal user data and trick the browser’s AI into carrying out actions the user never intended.
The vulnerability was first demonstrated by researcher Marvin von Hagen, who showed how easily the browser’s AI could be manipulated. His proof-of-concept raised urgent questions about the safety of using large language models inside web browsers.
Key takeaways
• Perplexity’s new AI browser Comet is vulnerable to prompt injection attacks.
• Malicious websites can embed hidden commands that the AI will execute.
• Attackers could steal a user’s browsing history and private queries.
• The flaw exposes the broader challenge of securing AI-driven web tools.
• Perplexity has acknowledged the problem and is working on a solution.
Perplexity, known for its AI search engine that delivers direct, summarized answers to questions, recently expanded into browsers with Comet for macOS and iOS. One of its main features allows users to ask the AI questions about any webpage they are viewing. The AI scans the page and provides a summary or a specific answer.
The problem arises in how Comet processes the content it reads. A prompt injection attack works by hiding malicious instructions inside a webpage. When a user asks Comet to summarize or analyze the content, the AI processes everything, including the hidden instructions. Instead of simply answering the user, it follows the attacker’s hidden commands.
Von Hagen created a demonstration page that revealed how this could work. He embedded a hidden instruction telling Comet’s AI to take the user’s original query and send it to a server he controlled. For instance, if someone asked, “Summarize the main points of this article,” the AI would first leak that question to von Hagen’s server before providing any summary. The proof-of-concept made clear that sensitive information, including private queries, could be exposed.
The risks, however, stretch further than leaking user questions. Attackers could design prompts that order the AI to perform unintended actions, sometimes referred to as indirect prompt injection. This could potentially be used to send emails, post on social media accounts, or access private data from other open tabs, all without the user realizing what is happening.
This problem is not unique to Comet. Similar vulnerabilities have been discovered in other AI-powered tools, which shows how widespread the issue really is. Developers across the industry continue to struggle with building safeguards that can reliably distinguish between what a user genuinely wants and what a malicious prompt is trying to force.
In response to von Hagen’s discovery, Perplexity confirmed it is aware of the issue and has begun working on a fix. Even so, the incident highlights how integrating AI directly into browsing tools comes with risks that are still very difficult to fully contain.
Frequently Asked Questions (FAQs)
Q1. What is Perplexity Comet?
A1. Perplexity Comet is a new web browser developed by the AI search engine company Perplexity. It is currently available for macOS and iOS and integrates AI features directly into the browsing experience, such as summarizing webpages.
Q2. What is a prompt injection attack?
A2. A prompt injection attack is a security exploit that targets applications using large language models (LLMs). An attacker inserts hidden, malicious instructions into the data that the AI model processes. The AI then executes these hidden instructions, leading to data leaks or other unintended actions.
Q3. Is my data at risk if I use Perplexity Comet?
A3. Yes, until the vulnerability is fixed, using the AI features in the Comet browser on untrusted websites could put your data at risk. Malicious websites can potentially steal your search queries and browsing activity.
Q4. How can I protect myself from such attacks?
A4. The best way to protect yourself is to be cautious about which websites you use the browser’s AI features on. Avoid using it on websites you do not fully trust. Additionally, always keep your browser and applications updated to ensure you have the latest security patches.
Q5. Has Perplexity fixed this issue?
A5. Perplexity has publicly acknowledged the vulnerability and confirmed that its team is actively working on a solution to address the security flaw. Users should look out for an update to the Comet browser.
