Perplexity Comet Browser Flaw Allows Attackers to Inject Malicious Prompts

Security researchers from Brave have uncovered a critical vulnerability in Perplexity’s Comet AI browser that allows attackers to inject malicious commands through hidden text embedded in screenshots.

This flaw demonstrates a fundamental security risk in how AI-powered browsers handle the boundary between user commands and untrusted web content.

The vulnerability exploits a technique called steganography to conceal dangerous instructions within web content.

Researchers created a proof-of-concept using faint light blue text on a yellow background invisible to the human eye but detectable by computers.

When users take a screenshot of a compromised webpage, Perplexity’s Comet browser uses optical character recognition (OCR) technology to extract all text, including the hidden malicious commands.

The critical flaw is that these extracted instructions are fed directly to the AI system without filtering or validation, allowing attackers to manipulate the browser into performing unauthorized actions.

The implications for users are severe, particularly for those maintaining active sessions with sensitive accounts.

If an attacker successfully injects a prompt into Comet, the AI could access bank accounts, steal emails, compromise corporate systems, or exfiltrate data from cloud storage.

The vulnerability completely bypasses traditional web security protections like the same-origin policy, which normally prevents websites from accessing each other’s confidential information.

Security researchers Artem Chaikin and Shivan Kaul Sahib from Brave emphasized that this isn’t an isolated problem.

Their research uncovered similar vulnerabilities in other agentic browsers, including Fellou, where simply asking the AI to navigate to a malicious website allows attackers to inject commands through visible webpage content.

Brave researchers responsibly reported the Comet vulnerability to Perplexity on October 1, 2025, providing the company time to address the issue before public disclosure.

The research reveals a fundamental design flaw in how AI browsers handle untrusted content when executing actions on users’ behalf.

Until agentic browsers implement proper safety barriers between content and commands, security experts recommend treating these tools as inherently risky.

Ideal safeguards would isolate AI browsing features from regular browsing and only activate them when users explicitly request them.

For now, users should avoid keeping sensitive accounts logged in while using agentic browser features, or avoid these tools entirely until stronger protections are implemented.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today