Perplexity Comet Browser Prompt Injection Vulnerability Exposed
▼ Summary
– Brave identified a security vulnerability in Perplexity’s Comet AI browser that allows attackers to inject prompts and access data from other open browser tabs.
– The vulnerability activates when users ask Comet to summarize a webpage, as the LLM processes embedded malicious prompts without distinguishing them from legitimate content.
– Attackers can exploit this by embedding indirect prompt injection payloads that command the AI to execute actions, such as accessing a user’s emails from another tab.
– Perplexity attempted to patch the vulnerability, but according to Simon Willison’s blog, the fix does not work effectively.
– A developer on X highlighted the severity of the issue, warning that prompt injection could lead to serious consequences like draining bank accounts through seemingly harmless activities like browsing Reddit.
A significant security flaw has been identified in Perplexity’s Comet AI browser, allowing attackers to inject malicious prompts and potentially access sensitive information from other open tabs. This vulnerability poses a serious risk to user privacy and data security, highlighting ongoing challenges in securing AI-integrated browsing tools.
The issue arises when users request the Comet browser to summarize a webpage. The browser’s language model processes content without distinguishing between legitimate user instructions and potentially harmful embedded commands from the webpage itself. This lack of separation enables attackers to insert indirect prompt injections that the AI executes as if they were valid user requests.
According to security researchers, an attacker could craft a webpage containing hidden prompts that command the AI to access and extract data from other active tabs. For example, a malicious site could trigger the AI to retrieve and transmit email contents or financial information without the user’s knowledge. This type of exploitation turns a routine summarization feature into a potential data breach vector.
Independent analysis confirms that initial attempts to patch the vulnerability have been ineffective. Despite Perplexity’s efforts to address the security gap, the fundamental design flaw remains unmitigated, leaving users exposed to sophisticated prompt injection attacks.
Public reaction has been notably concerned, with developers and security experts expressing alarm over the implications of such a vulnerability. One developer emphasized the real-world dangers, noting that casual browsing on platforms like Reddit could theoretically lead to severe consequences, including unauthorized access to personal financial accounts.
The situation underscores the broader security challenges facing AI-powered browsers, where the line between user intent and third-party content can become dangerously blurred. For now, the Comet browser’s vulnerability serves as a cautionary example of the risks associated with emerging AI technologies that interact directly with user data and browsing activity.
(Source: Search Engine Journal)
