Brave's security researchers discovered a critical vulnerability in Perplexity Comet's agentic browsing feature that allows indirect prompt injection attacks. The vulnerability occurs when AI assistants process webpage content without distinguishing between user instructions and untrusted web content, enabling attackers to embed malicious commands in websites or social media comments. These attacks can bypass traditional web security mechanisms like same-origin policy, allowing unauthorized access to sensitive accounts and data across authenticated sessions. The research demonstrates how attackers can steal login credentials and take over accounts by hiding instructions in seemingly innocent content, highlighting the need for new security architectures specifically designed for AI-powered browsing agents.
Table of contents
The threat of instruction injectionAttack demonstrationImpact and implicationsPossible mitigationsDisclosure timelineResearch MotivationConclusionSort: