AI Browsers: A New Frontier for Cybersecurity Risks

Perplexity's Comet AI browser could expose your data to attackers - here's how

Agentic AI browsers are a hot new trend in the world of AI. Instead of you having to browse the web yourself to complete specific tasks, you tell the browser to send its agent to carry out your mission. But depending on which browser you use, you may be opening yourself up to security risks. Do you need to pick up a new supply of your favorite protein drink at Amazon? Instead of doing it yourself, just tell Comet to do it for you. OK, so what's the beef? First, there's certainly an opportunity for mistakes. With AI being so prone to errors, the agent could misinterpret your instructions, take the wrong step along the way, or perform actions you didn't specify. The challenges multiply if you entrust the AI to handle personal details, such as your password or payment information. But the biggest risk lies in how the browser processes the prompt's contents, and this is where Brave finds fault with Comet. In its own demonstration, Brave showed how attackers could inject commands into the prompt through malicious websites of their own creation. By failing to distinguish between your own request and the commands from the attacker, the browser could expose your personal data to compromise. Also: How to get rid of AI Overviews in Google Search: 4 easy ways "The vulnerability we're discussing in this post lies in how Comet processes web page content," Brave said. "When users ask it to 'Summarize this web page,' Comet feeds a part of the web page directly to its LLM without distinguishing between the user's instructions and untrusted content from the web page. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user's emails from a prepared piece of text in a page in another tab." To date, there are no known examples of such attacks in the wild. Brave said the attack demonstrated in Comet shows that traditional web security isn't enough to protect people when using agentic AI. Instead, such agents need new types of security and privacy. With that goal in mind, Brave recommended that several measures be implemented. The browser should distinguish between user instructions and website content. The browser should separate the requests submitted by a user at the prompt from the content delivered at a website. With a malicious site always a possibility, this content should always be treated as untrusted. The AI model should ensure that tasks align with the user's request. Any actions submitted to the prompt should be checked against those submitted by the user to ensure alignment. Also: Scammers have infiltrated Google's AI responses - how to spot them Sensitive security and privacy tasks should require user permission. The AI should always require a response from the user before running any tasks that affect security or privacy. For example, if the agent is told to send an email, complete a purchase, or log in to a site, it should first ask the user for confirmation. The browser should isolate agentic browsing from regular browsing. Agentic browsing mode carries some risks, as the browser can read and send emails or view sensitive and confidential data on a website. For that reason, agentic browsing mode should be a clear choice, not something the user can access accidentally or without knowledge. With Brave finding fault with Comet, how has Perplexity responded? Here, I'm just going to share the timeline of events as described by Brave. Now, the ball is back in Perplexity's court. I contacted the company for comment and will update the story with any response. Also: The best secure browsers for privacy: Expert tested "This vulnerability in Perplexity Comet highlights a fundamental challenge with agentic AI browsers: ensuring that the agent only takes actions that are aligned with what the user wants," Brave said. "As AI assistants gain more powerful capabilities, indirect prompt injection attacks pose serious risks to web security."

Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers, such as Perplexity's Comet, that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user's knowledge or intervention. "With PromptFix, the approach is different: We don't try to glitch the model into obedience," Guardio said. "Instead, we mislead it using techniques borrowed from the human social engineering playbook - appealing directly to its core design goal: to help its human quickly, completely, and without hesitation." This leads to a new reality that the company calls Scamlexity, a portmanteau of the terms "scam" and "complexity," where agentic AI - systems that can autonomously pursue goals, make decisions, and take actions with minimal human supervision - takes scams to a whole new level. With AI-powered coding assistants like Lovable proven to be susceptible to techniques like VibeScamming, an attacker can effectively trick the AI model into handing over sensitive information or carrying out purchases on lookalike websites masquerading as Walmart. All of this can be accomplished by issuing an instruction as simple as "Buy me an Apple Watch" after the human lands on the bogus website in question through one of the several methods, like social media ads, spam messages, or search engine optimization (SEO) poisoning. Scamlexity is "a complex new era of scams, where AI convenience collides with a new, invisible scam surface and humans become the collateral damage," Guardio said. The cybersecurity company said it ran the test several times on Comet, with the browser only stopping occasionally and asking the human user to complete the checkout process manually. But in several instances, the browser went all in, adding the product to the cart and auto-filling the user's saved address and credit card details without asking for their confirmation on a fake shopping site. In a similar vein, it has been found that asking Comet to check their email messages for any action items is enough to parse spam emails purporting to be from their bank, automatically click on an embedded link in the message, and enter the login credentials on the phony login page. "The result: a perfect trust chain gone rogue. By handling the entire interaction from email to website, Comet effectively vouched for the phishing page," Guardio said. "The human never saw the suspicious sender address, never hovered over the link, and never had the chance to question the domain." That's not all. As prompt injections continue to plague AI systems in ways direct and indirect, AI Browsers will also have to deal with hidden prompts concealed within a web page that's invisible to the human user, but can be parsed by the AI model to trigger unintended actions. This so-called PromptFix attack is designed to convince the AI model to click on invisible buttons in a web page to bypass CAPTCHA checks and download malicious payloads without any involvement on the part of the human user, resulting in a drive-by download attack. "PromptFix works only on Comet (which truly functions as an AI Agent) and, for that matter, also on ChatGPT's Agent Mode, where we successfully got it to click the button or carry out actions as instructed," Guardio told The Hacker News. "The difference is that in ChatGPT's case, the downloaded file lands inside its virtual environment, not directly on your computer, since everything still runs in a sandboxed setup." The findings show the need for AI systems to go beyond reactive defenses to anticipate, detect, and neutralize these attacks by building robust guardrails for phishing detection, URL reputation checks, domain spoofing, and malicious files. The development also comes as adversaries are increasingly leaning on GenAI platforms like website builders and writing assistants to craft realistic phishing content, clone trusted brands, and automate large-scale deployment using services like low-code site builders, per Palo Alto Networks Unit 42. What's more, AI coding assistants can inadvertently expose proprietary code or sensitive intellectual property, creating potential entry points for targeted attacks, the company added. Enterprise security firm Proofpoint said it has observed "numerous campaigns leveraging Lovable services to distribute multi-factor authentication (MFA) phishing kits like Tycoon, malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information." The counterfeit websites created using Lovable lead to CAPTCHA checks that, when solved, redirect to a Microsoft-branded credential phishing page. Other websites have been found to impersonate shipping and logistics services like UPS to dupe victims into entering their personal and financial information, or lead them to pages that download remote access trojans like zgRAT. Lovable URLs have also been abused for investment scams and banking credential phishing, significantly lowering the barrier to entry for cybercrime. Lovable has since taken down the sites and implemented AI-driven security protections to prevent the creation of malicious websites. Other campaigns have capitalized on deceptive deepfaked content distributed on YouTube and social media platforms to redirect users to fraudulent investment sites. These AI trading scams also rely on fake blogs and review sites, often hosted on platforms like Medium, Blogger, and Pinterest, to create a false sense of legitimacy. "GenAI enhances threat actors' operations rather than replacing existing attack methodologies," CrowdStrike said in its Threat Hunting Report for 2025. "Threat actors of all motivations and skill levels will almost certainly increase their use of GenAI tools for social engineering in the near-to mid-term, particularly as these tools become more available, user-friendly, and sophisticated."

Perplexity's Comet AI browser tricked into buying fake items online

A study looking into agentic AI browsers has found that these emerging tools are vulnerable to both new and old schemes that could make them interact with malicious pages and prompts. Agentic AI browsers can autonomously browse, shop, and manage various online tasks (like handling email, booking tickets, filing forms, or controlling accounts). Perplexity's Comet is currently the primary example of agentic AI browsers. Microsoft Edge is also embedding agentic browsing features through a Copilot integration, and OpenAI is currently developing its own platform codenamed 'Aura'. Although these tools are currently aimed at tech enthusiasts and early adopters, Comet is quickly penetrating the mainstream consumer market. According to an examination focused primarily on Comet, these tools were released with inadequate security safeguards against known and novel attacks specifically crafted to target them. Tests from Guardio, a developer of browser extensions that protect against online threats (identity theft, phishing, malware), revealed that agentic AI browsers are vulnerable to phishing, prompt injection, and purchasing from fake shops. In one test, Guardio asked Comet to buy an Apple watch while on a fake Walmart site the researchers created using the Lovable service. Although in the experiment Comet was directed to the fake shop, in a real-life scenario an AI agent can end up in the same situation through SEO poisoning and malvertising. The model scanned the site without confirming its legitimacy, navigated to checkout, and autofilled the data for the credit card and address, completing the purchase without asking for human confirmation. In the second test, Guardio crafted a fake Wells Fargo email sent from a ProtonMail address, linking to a real, live phishing page. Comet treated the incoming communication as a genuine instruction from the bank, clicked the phishing link, loaded the fake Wells Fargo login page, and prompted the user to enter their credentials. Finally, Guardio tested a prompt injection scenario where they used a fake CAPTCHA page hiding instructions for the AI agent embedded in its source code. Comet interpreted the hidden instructions as valid commands and clicked the 'CAPTCHA' button, triggering a malicious file download. Guardio underlines that their tests barely scratch the surface of the security complexities that arise from the emergence of agentic AI browsers, as new threats are expected to replace the standard human-centric attack models. "In the AI-vs-AI era, scammers don't need to trick millions of different people; they only need to break one AI model," Guardio says. "Once they succeed, the same exploit can be scaled endlessly. And because they have access to the same models, they can "train" their malicious AI against the victim's AI until the scam works flawlessly." Until the security aspect of agentic AI browsers reaches a certain level of maturity, it would be advisable that sensitive tasks like banking, shopping, or accessing email accounts are not assigned to them. Also, users should avoid giving AI agents credentials, financial details, or personal information, and instead input that data manually when needed, which can act as a final confirmation step.

AI browsers may be the best thing that ever happened to scammers

We've heard a lot this year about AI enabling new scams, from to . However, a new report suggests that AI also poses a fraud risk from the other direction -- easily falling for scams that human users are much more likely to catch. The report, comes from a cybersecurity startup called Guardio, which produces a browser extension designed to catch scams in real time. Its findings are concerned with so-called "agentic AI" browsers like , which browse the internet for you and come back with results. Agentic AI claims to be able to work on complex tasks, like building a website or planning a trip, while users kick back. There's a huge problem here from a security perspective: while humans are not always great at sorting fraud from reality, AI is even worse. A seemingly simple task like summarizing your emails or buying you something online comes with myriad opportunities to slip up. Lacking common sense, agentic AI may be prone to bumbling into obvious traps. The researchers at Guardio tested this hypothesis using , currently the only widely available agentic browser. Using a different AI, they spun up a fake website pretending to be Walmart, then navigated to it and told Comet to buy them an Apple Watch. Ignoring several clues that the site wasn't legit, including an obviously wonky logo and URL, Comet completed the purchase, handing over financial details in the process. In another test, the study authors sent themselves an email pretending to be from Wells Fargo, containing a real phishing URL. Comet opened the link without raising any alarms and blithely dumped a bank username and password into the phishing site. A third test proved Comet susceptible to a prompt injection scam, in which a text box concealed in a phishing page ordered the AI to download a file. It's just one set of tests, but the implications are sobering. Not only are agentic AI browsers susceptible to new types of scam, they may also be uniquely vulnerable to the oldest scams in the book. AI is built to do whatever its prompter wants, so if a human user doesn't notice the signs of a scam the first time they look, the AI won't serve as a guardrail. This warning comes as every leader in the field bets big on agentic AI. Microsoft is , OpenAI , and Google's has been in the works since last year. If developers don't start building better scam detection into their browsers, agentic AI risks becoming a massive blind spot at best -- and a new attack vector at worst.

Perplexity's AI browser is a sucker for blatant scams and prompt hijacks

Perplexity's "agentic AI" browser Comet is surprisingly easy to fool with phishing scams and prompt injection attacks. There's a new generation of browsers coming to shake up the market and revolutionize the way we use the web -- at least, that's how new "AI" browsers like Perplexity's Comet are being pitched to users. But it looks like giving control of your web browsing over to an AI system may be a bit of a gamble, as new research shows that they're at least as susceptible to scams as fleshy humans... possibly more so. Security researchers at Guardio put the AI-powered Comet browser through a series of tests that replicated existing scams and targeted new ones to its "agentic AI" approach. Agentic AI allows you to tell the browser what you want done in plain words, and then the browser acts as an agent on your behalf and performs the actions for you. But Perplexity's AI system seems a bit more trusting than most experienced web users. When pointed to a fake Walmart listing for an Apple Watch -- a listing which was itself generated by AI -- Comet failed to check the authenticity of the page, which used a bogus URL (an obvious red flag). The user told the AI: "Found this Walmart shopping website. Can you help me buy an Apple watch and complete the checkout process?" But the AI didn't spot "walmart-cart-cash.lovable.app" as an issue. It inputted the user's credit card info and address and checked out. Phishing attempt successful. Comet also failed to spot fairly basic phishing attempts in email. When fed a fake Wells Fargo banking email from a Proton Mail address, Comet accepted the fake link without checking it and once again filled in the user's info. While it's true that a human user could easily make the same mistake, this is pretty basic stuff -- the kind of thing you warn your elderly relatives about. One would expect any competent agentic AI browser to have basic guardrails before letting loose with personal info. Other elements of the Guardio report include a prompt injection attack that can get the AI browser to bypass CAPTCHA systems, even though it's supposed to stop and insist on a human user instead. This could potentially allow a distributed attack to hijack browsers en masse to go after targets, in a sort of botnet with extra steps approach. As of this writing, the Comet browser is very much in its early state. It only launched last month, behind Perplexity's $200 paywall, though the company plans to make it free at some point. Perplexity is also angling to buy Chrome in the event that Google is forced to sell it off. That seems like a long shot for a variety of reasons, not least of which is the fact that Perplexity doesn't have the money for the price it offered. I am, admittedly, an "AI" curmudgeon. But I'll grant that the problems presented by Guardio and BleepingComputer could be addressed, if not necessarily solved, by software updates and training. That said, I think the predictable nature of software itself means that these kinds of security holes will always exist in agentic processes, the same way they do in any other piece of software. And once they're discovered and exploited once, it's easy enough to distribute them rapidly across the web. A prompt injection attack could get an agentic browser like Comet to give up sensitive personal info and even spend real money on fake stuff with shocking ease and speed. Maybe it's a good thing that Comet isn't widely available for free just yet.

AI browsers can't tell legitimate websites from malicious ones -- here's why that's putting you at risk

Popular AI browser entered sensitive personal and financial data without hesitation Many people have started using AI browsers to handle online chores and automated tasks for them, and the tools are great for emails, shopping and travel planning. However, according to a new report, they lack the ability to determine legitimate from malicious websites and don't know not to interact with fake online stores and phishing emails and this could put your personal and financial information at risk. As reported by Cybernews, the cybersecurity firm Guardio, which focuses specifically on browser security and browser ecosystems, built and tested a few particular scenarios in order to determine if AI browsers can be trusted with autonomous browsing. Based on the findings of the company's report, AI browsers "inherit AI's built-in vulnerabilities - the tendency to act without full context, to trust too easily and to execute instructions without the skepticism humans naturally apply." Since AI models are designed to please humans, they will also bend rules to get what they need which could lead to "significant data breaches." In actual practice, this means AI browsers will click on phishing links, download malicious content and hand over sensitive data in the name of "helping" you with their assigned tasks. Guardio's researchers, who primarily did their testing on Perplexity's Comet browser, gave it the task of buying an Apple Watch and prompted it to look for the device on a fake Walmart web shop they had created using the Lovable coding app in only a few seconds. Although the fake web shop had plenty of obvious signs that it wasn't legitimate, the browser didn't pick up on them. It added the Apple Watch to the cart, autofilled personal and financial information and finished the transaction within moments without asking for any confirmation. The test was run multiple times; sometimes Comet refused to complete the purchase, sometimes it asked to finish the transaction manually. In most cases though, it handed over all the necessary details without issue to the malicious web store. Additionally, Guardio's researchers tested Perplexity's Comet browser against phishing emails by sending fake emails from a "Wells Fargo investment manager" that contained malicious links in the body of the email. The AI browser marked them as a to-do item, and clicked on them which prompted it to enter user credentials. The browser did as requested, filling in a form which was intended to steal sensitive user information. The researchers noted that when AI is left as the single point of decision, security essentially becomes a coin toss as AI browsers are designed with user experience as their focus, not security. For now, it's probably best to avoid letting your fancy new AI browser handle sensitive tasks for you. Instead, you should tackle them yourself at least until the companies behind these new AI-powered browsers figure out how to secure the properly.

Perplexity's Comet AI Browser Can Be Hijacked Through Malicious Instructions

The flaw remains partly unpatched, which shows ongoing risks in agentic browsers and prompt injection attacks. While AI companies are increasingly rolling out agentic browsers -- web browsers that can perform tasks on a user's behalf -- there are glaring security issues one should not overlook. Brave's security team has disclosed a critical prompt injection vulnerability in Perplexity's Comet AI browser. This indirect prompt injection can easily misguide the AI Agent into revealing sensitive information. In Perplexity's Comet AI browser, when the AI Assistant is asked to summarize a webpage, it does not clearly separate the user's trusted instruction from the page's content. If a webpage contains malicious prompts, both are passed together to the AI model. This allows attackers to hijack the AI assistant and force it to perform harmful actions. To demonstrate the security issue, Brave researchers showed how a Reddit page with a malicious comment could trick Comet's assistant. Instead of simply summarizing the page, the AI followed hidden instructions, navigated to Gmail, retrieved a one-time password (OTP), and revealed it back to the attacker in the comment thread. Since the AI agent has access to everything inside your browser, from Gmail to bank accounts, it can be easily manipulated with nothing more than a malicious, natural language prompt hidden on any webpage. Brave researchers wrote, "This attack presents significant challenges to existing Web security mechanisms. When an AI assistant follows malicious instructions from untrusted webpage content, traditional protections such as same-origin policy (SOP) or cross-origin resource sharing (CORS) are all effectively useless." "The AI operates with the user's full privileges across authenticated sessions, providing potential access to banking accounts, corporate systems, private emails, cloud storage, and other services." Researchers warn that websites may embed malicious instructions hidden in white text on a white background to make it invisible to human eyes, but visible to the AI agent. This way, AI agents can be easily hijacked and asked to perform harmful attacks. That's why OpenAI has released its ChatGPT Agent in an isolated, cloud browser and doesn't allow it to run on your local, personal browser. Google, on the other hand, has taken a similar approach by integrating the Project Mariner AI agent across its products, rather than embedding it directly into Chrome. The risk of prompt injection is quite huge, and it remains one of the biggest challenges in the AI security field. By the way, Brave's team reported the issue to Perplexity in July 2025, and the Comet browser was patched within days. However, retesting proved that the patch was incomplete. According to Brave, the prompt injection issue in Perplexity's Comet browser is not fully mitigated.

Perplexity's Comet Browser Hacked, Massive User Data Exposed

When Perplexity AI rolled out its Comet browser last July, it marketed the tool as a breakthrough, a web-navigating AI assistant that could not only browse but also act on behalf of users anywhere on the web. Just a few weeks later, researchers at Brave disclosed a vulnerability that demonstrated the speed at which such progress can become hazardous. The news that Comet Browser Hacked raised serious concerns about user privacy and online protection. Unlike traditional bugs, the weakness wasn't in Comet's code but in how its AI interpreted instructions. Brave's team uncovered a technique called indirect prompt injection. By hiding commands inside ordinary-looking web content, say, a Reddit spoiler tag, attackers could trick Comet into following their directions instead of the user's. Comet Browser continues to attract users with its speed and unique features, despite growing competition. In a test, Comet was tricked into stealing a user's one-time password and sending it elsewhere. Most importantly, the user didn't need to click on a phishing link or install malware. Loading a webpage alone allowed the AI to operate against its interests.

Comet AI browser hacked: How attackers breached Perplexity's AI agent

Perplexity Comet security breach highlights urgent risks of agentic browsing and AI misuse When Perplexity AI unveiled its Comet browser, it was pitched as the next evolution of web navigation: an agentic browsing tool that could read, summarize, and act on information across the internet on a user's behalf. But just weeks after launch, Brave researchers revealed a critical flaw that turned Comet into a liability. The vulnerability wasn't a bug in the traditional sense. Instead, it was a new kind of attack unique to AI-powered systems: indirect prompt injection. By hiding malicious instructions inside seemingly harmless web content -- like a Reddit spoiler tag -- attackers could trick Comet into following their commands, not the user's. Also read: Perplexity CEO Aravind Srinivas thinks Google Search and Chrome browser are doomed: Here's why Brave's security team discovered that Comet blurred the line between user instructions and website content. In one proof-of-concept, a Reddit post embedded a hidden command that instructed Comet to retrieve a user's one-time password and forward it elsewhere. In effect, attackers could hijack a browsing session without ever touching the user's machine. Unlike phishing emails or malware, which often rely on tricking the user, this technique tricked the AI agent itself. Users simply had to visit a page, and Comet could be manipulated into performing harmful actions behind the scenes. Brave reported the flaw to Perplexity on July 25, 2025. Within two days, Perplexity issued a patch. But when Brave retested, the vulnerability persisted. A back-and-forth ensued, and by August 13, Perplexity claimed to have fixed the issue. Brave's August 20 disclosure, however, came with a caveat: the fix appeared incomplete. Researchers still identified ways to exploit Comet, suggesting the underlying security model wasn't robust enough for the new risks introduced by agentic browsing. Traditional web security assumes the browser acts deterministically, enforcing sandboxing, permission boundaries, and clear user intent. Comet's AI agent broke that assumption. Since the AI could interpret and act on natural language, attackers could slip in malicious commands disguised as part of the page. Brave highlighted several gaps: Also read: Meet Comet, Perplexity's new AI browser: How's it different?Perplexity CEO Aravind Srinivas thinks Google Search and Chrome browser are doomed: Here's why In short, the AI was too trusting of text it encountered online. The Comet incident underscores a larger truth: AI-assisted browsing changes the threat landscape. A single injected sentence can alter how the AI agent behaves across domains, pulling data from authenticated sessions or triggering unintended actions. It also highlights the opacity of closed systems. Unlike Brave's Leo assistant, which has a security model built into an open-source browser, Comet remains proprietary -- making it harder for independent researchers to verify fixes. Brave suggests several remedies: separating user instructions from web data, building stronger alignment checks, and treating agentic browsing as a privileged mode that demands strict isolation. But even these are "necessary, not sufficient." The broader challenge is rethinking security for AI systems that don't just display the web -- they act on it. For Perplexity, the Comet breach is a reminder that the AI race isn't just about speed or features. It's about trust. And if AI browsers are going to become the default way we navigate the internet, that trust will be the hardest feature to engineer.