CometJacking Prompt Injection Vulnerability in Perplexity's Comet AI Browser
Security researchers at LayerX have identified a critical security weakness in the Comet AI browser developed by Perplexity, which is susceptible to a novel prompt injection attack dubbed 'CometJacking.' The vulnerability allows attackers to craft malicious URLs that, when processed by the Comet browser, inject hidden instructions capable of accessing sensitive data from connected services such as email and calendar applications. The attack does not require user credentials or direct interaction, making it particularly dangerous and easy to exploit. By embedding malicious prompts in web pages, comment sections, or even code accessed by the browser, cybercriminals can instruct Comet to exfiltrate data residing in memory or accessible through its integrations. For example, if a user asks Comet to rewrite an email or schedule a meeting, the browser could be manipulated to extract and transmit the content and metadata of those communications to an external server controlled by the attacker. LayerX demonstrated a proof of concept where the browser was instructed to encode sensitive data in base64 and send it to a remote endpoint, successfully bypassing Perplexity's existing safeguards. The browser's agentic AI capabilities, which allow it to autonomously perform tasks like managing emails, shopping, and booking tickets, increase the potential impact of this vulnerability. Despite being notified of the issue in late August, Perplexity responded that the reported weakness was 'not applicable' and considered it beyond their control to remediate. Security experts warn that the rapid adoption of the Comet browser, combined with its integration with various personal and enterprise services, amplifies the risk of widespread data exfiltration if the vulnerability is exploited in the wild. The attack leverages the 'collection' parameter in the URL query string to deliver the malicious prompt, instructing the AI agent to consult its memory and connected services rather than simply searching the web. This method allows attackers to bypass direct data transmission restrictions implemented by Perplexity, as the AI agent itself is manipulated to perform the exfiltration. The vulnerability highlights the broader risks associated with agentic AI browsers that have deep integrations with user data and services. Security researchers emphasize the need for more robust safeguards and prompt injection defenses in AI-powered browsers to prevent similar attacks. The incident also raises questions about vendor responsibility and the challenges of securing AI-driven automation tools. Organizations using the Comet browser are advised to review their security posture and consider the risks of integrating sensitive services with agentic AI tools. The case underscores the importance of continuous security assessment and responsible disclosure in the rapidly evolving landscape of AI-powered applications. As the CometJacking technique requires only a crafted URL, it could be weaponized in phishing campaigns or embedded in seemingly innocuous web content, increasing the attack surface for potential victims. The ongoing debate between researchers and the vendor over the severity and remediability of the issue further complicates the response and mitigation efforts.
Timeline
Oct 3, 2025
Researchers disclose CometJacking flaw in Perplexity's Comet browser
Security researchers reported a weakness dubbed 'CometJacking' in Perplexity's Comet AI browser that could be abused to trick the browser into accessing and exfiltrating email and other sensitive data. Multiple outlets covered the same disclosure, describing it as a one-click attack against the browser's AI-assisted behavior.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
CometJacking Prompt Injection Attack in Perplexity's Comet AI Browser
A new attack technique called **CometJacking** has been identified, targeting Perplexity's Comet AI browser through prompt injection via URL parameters. By embedding malicious instructions in the `collection` parameter of a URL, attackers can direct the AI agent to access and exfiltrate sensitive data from connected services such as Gmail and Google Calendar, without requiring user credentials or interaction. LayerX researchers demonstrated that the AI browser could be manipulated to encode and send confidential information to an external endpoint, bypassing existing security checks and highlighting a fundamental vulnerability in current LLM-based systems. The rise of AI-driven browsers and generative AI tools in the enterprise environment has significantly increased the risk of data exfiltration, with copy-paste actions into AI prompts now surpassing traditional file transfers as the primary vector for corporate data leaks. According to LayerX's Browser Security Report 2025, 77% of employees paste data into AI prompts, and a substantial portion of this activity occurs through personal accounts, making governance and monitoring more challenging. The report underscores the urgent need for organizations to implement stricter controls over AI tool usage, monitor clipboard and prompt activity for sensitive data, and adapt data loss prevention strategies to address the evolving threat landscape posed by AI-enabled browsers and prompt injection attacks like CometJacking.
1 months ago
Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that **prompt injection** is enabling practical attacks against *agentic AI* systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, **“promptware,”** describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to **data exfiltration**, cross-system propagation, IoT manipulation, or even **arbitrary code execution**, depending on the permissions and integrations available. Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s *Comet* browser, showing how prompt injection techniques could be used to **extract private information from authenticated sessions (e.g., Gmail)** by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as **untrusted input**, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
1 months ago
PerplexedBrowser (PleaseFix) Vulnerability Hijacks Perplexity Comet’s AI Agent via Calendar Invites
Security researchers at **Zenity Labs** disclosed **PleaseFix**, a family of critical vulnerabilities affecting *agentic browsers*—including **Perplexity’s Comet**—that enable **AI agent hijacking** via *indirect prompt injection* embedded in routine workflows. In the Comet-specific **PerplexedBrowser** variant, attackers can trigger unauthorized agent actions inside an authenticated user session, including **local file access** and **data exfiltration**, while the agent continues to behave normally from the user’s perspective, reducing the chance of detection. One demonstrated attack uses a **poisoned Google Calendar invite**: hidden content (e.g., whitespace-obscured elements and a `system_reminder`-style instruction block) is processed when a user asks Comet’s agent to handle the invite, causing an “intent collision” where the agent merges the user’s request with attacker instructions. The payload can drive background navigation to attacker-controlled infrastructure, bypass language-focused guardrails by switching languages (e.g., Hebrew), coerce the agent into reading sensitive `file://` resources (configuration files, API keys), and exfiltrate data by embedding it into outbound requests. A second exploit path described by Zenity Labs abuses agent-authorized workflows to manipulate password-manager interactions—potentially enabling **credential theft** (including from an unlocked **1Password** session) and **account takeover** without directly exploiting the password manager itself.
1 months ago