Comet browser faces multiple security vulnerabilities from prompt injection

Multiple security research organizations reported critical vulnerabilities in Perplexity's Comet browser between August and October 2025, revealing fundamental architectural weaknesses that could enable attackers to steal user credentials, access sensitive data, and exfiltrate private information through indirect prompt injection techniques.

Brave Security Team disclosed on August 20, 2025, that Comet contained indirect prompt injection vulnerabilities allowing attackers to steal account credentials, one-time passwords, and sensitive data through hidden webpage content. The security researchers discovered malicious instructions could be embedded in websites using techniques including white text on white backgrounds, HTML comments, or nearly-invisible text within images.

LayerX Security researchers discovered between August 27 and August 28, 2025, a vulnerability they termed "CometJacking." According to their findings, a single malicious URL with crafted query parameters could exfiltrate emails, calendar data, and connected service information. The researchers reported their findings to Perplexity on August 27-28, 2025. Perplexity allegedly responded that they saw "no security impact" and marked the reports as "not applicable."

The CometJacking attack mechanism works through commands hidden in URL parameters. When a user clicks a malicious link, which could be sent via email or displayed on a webpage, the hidden commands instruct Comet's assistant to access user memory and encode data using base64 encoding before transmitting it to attacker-controlled servers. A user asking Comet to edit an email or schedule a calendar appointment could have metadata exfiltrated to attackers without their knowledge.

On October 1, 2025, Brave discovered additional vulnerabilities involving Comet's screenshot functionality. These "unseeable prompt injection" attacks demonstrated the problem extended beyond the initial August disclosure. Perplexity's Comet assistant allows users to take screenshots on websites and ask questions about images. Malicious instructions embedded as nearly-invisible text within images are processed as commands rather than untrusted content.

Brave researchers demonstrated the attack using faint light blue text on yellow backgrounds, effectively hiding prompt injection instructions from human users. Text recognition technology extracts text imperceptible to humans, which is then passed to the language model without distinguishing it from the user's query. The injected commands instruct the assistant to use its browser tools maliciously.

Brave sent public disclosure notice to Perplexity on October 2, 2025. The security team proceeded with public disclosure of vulnerability details on October 21, 2025. Artem Chaikin, Senior Mobile Security Engineer at Brave, and Shivan Kaul Sahib, Vice President of Privacy and Security at Brave, conducted the vulnerability research. They published their findings in a blog post titled "Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers."

The researchers withheld one additional vulnerability found in another browser, stating they planned to provide more details the following week.

Enterprise security analysis conducted by several security firms found Comet up to 85% more vulnerable to phishing and web attacks compared to Chrome or other traditional browsers. These findings raised concerns about the fundamental architecture of agentic browsers that operate with user privileges across authenticated sessions.

Perplexity's Head of Communications stated the August 2025 vulnerability disclosed by Brave was fixed. "This vulnerability is fixed. We have a pretty robust bounty program, and we worked directly with Brave to identify and repair it," according to the statement. The company did not provide a public security roadmap detailing which vulnerabilities had been addressed and which architectural issues remained.

Two months after the August fix, Brave discovered new prompt injection vectors through screenshots, suggesting deeper architectural weaknesses rather than isolated bugs. The pattern indicated core architecture issues stemming from Comet's inability to distinguish between user instructions and untrusted webpage content.

On October 22, 2025, Perplexity's Security Team published a blog post titled "Mitigating Prompt Injection in Comet." The post acknowledged ongoing challenges. "Malicious Prompt injection remains an unsolved problem across the industry, and one that will require continued innovation, adaptation, and collaboration," according to the Perplexity Security Team.

The security vulnerabilities matter particularly because agentic browsers like Comet have extensive permissions and access to user accounts. The browser requires users to grant Perplexity access to view screens, send emails, access contacts, and modify calendar events before utilizing the assistant's advanced features. When users sign into sensitive accounts like banks or email providers in the browser, simply summarizing a Reddit post could result in attackers stealing money or private data.

Traditional web security assumptions break when AI agents act on behalf of users. Agentic browser assistants can be prompt-injected by untrusted webpage content, rendering protections such as the same-origin policy irrelevant because the assistant executes with the user's authenticated privileges. Simple natural-language instructions on websites or even Reddit comments can trigger cross-domain actions reaching banks, healthcare provider sites, corporate systems, email hosts, and cloud storage.

Perplexity made Comet browser freely available on October 2, 2025, after millions joined waitlists. The browser had initially been available exclusively to subscribers of the $200-per-month Max plan and select waitlist participants. The public release allowed any user to download Comet at perplexity.ai/comet without requiring a subscription.

Data from the limited release period revealed significant behavioral changes among users. The number of questions asked by Perplexity users increased between 6X and 18X in their first day after downloading Comet during the July through September period when the browser remained limited to Max subscribers and waitlist participants.

The company faced scrutiny over its data collection strategy. Perplexity CEO Aravind Srinivas revealed in May 2025plans to track user activities across the internet through the browser to build comprehensive user profiles for advertising purposes. "That's kind of one of the other reasons we wanted to build a browser, is we want to get data even outside the app to better understand you," Srinivas stated during a Technology Brothers Podcast Network interview. "We plan to use all the context to build a better user profile and, maybe you know, through our discover feed we could show some ads there."

The extensive access Comet requires to perform tasks like booking flights, writing and sending emails, and ordering from Amazon creates additional risk when combined with security vulnerabilities. If a user clicks a weaponized link, it could expose sensitive Comet data to attackers who can extract and exfiltrate it without the user's knowledge.

Brave researchers noted each attack they discovered fundamentally boiled down to a failure to maintain clear boundaries between trusted user input and untrusted web content when constructing language model prompts while allowing the browser to take powerful actions on behalf of the user. They recognized this as a hard problem and stated they had longer-term ideas they were exploring in collaboration with their research and security teams to address such problems.

Until categorical safety improvements exist across the browser landscape, agentic browsing will be inherently dangerous and should be treated as such. Brave recommended browsers should isolate agentic browsing from regular browsing and initiate agentic browsing actions like opening websites or reading emails only when users explicitly invoke them.

The security concerns extended beyond Comet. Brave's research on screenshot-based prompt injection also examined Fellou browser, discovering on August 20, 2025, that simply asking the browser to navigate to a website caused the browser to send the website's content to their language model. An attacker could embed malicious visible instructions on their website, and when users asked the assistant to navigate to the attacker's webpage, the browser would pass both the user's query and visible page content to the language model in a way that allowed webpage text to override or modify user intent.

The vulnerability disclosures occurred as multiple companies developed AI-powered browsers. The Browser Company launched Dia in June 2025, offering similar AI integration features. OpenAI reportedly considered developing its own browser, hiring former Google Chrome team members throughout 2024 and early 2025. OpenAI launched ChatGPT Atlas browser on October 21, 2025, on the same day Brave publicly disclosed the Comet vulnerabilities.

Anthropic launched Claude for Chrome extension as a research preview on August 26, 2025, with 1,000 Max subscribers. The company conducted extensive adversarial prompt injection testing, evaluating 123 test cases representing 29 different attack scenarios. Browser use without safety mitigations showed a 23.6% attack success rate when deliberately targeted by malicious actors. When Anthropic added safety mitigations to autonomous mode, they reduced the attack success rate from 23.6% to 11.2%.

The competitive landscape intensified as Perplexity expanded its browser strategy. The company acquired the OS.ai domain on July 13, 2025, signaling intentions to develop an AI-powered operating system complementing the Comet browser. Srinivas previously described his vision for Comet as developing "an operating system with which you can do almost everything," enabling Perplexity's AI to assist users across multiple applications and websites.

Perplexity launched its Max subscription tier on July 2, 2025, providing unlimited access to advanced AI models including OpenAI's o3-pro and Claude Opus 4 for $200 monthly. The subscription positioned the company to compete with premium artificial intelligence services while generating revenue from power users and enterprise customers.

The security vulnerabilities raised questions about whether users should trust agentic browsers with sensitive account access. When granting AI access to services, privacy is at risk. The risks are further exacerbated when using Comet because of its security flaws. If users allow Perplexity's Comet browser access to email, the mailbox is no longer private.

Researchers emphasized the importance of users understanding what data is at risk and what protections are active. Clear user guidance and regular public security updates would help users make informed decisions about adopting agentic browsing technology.

The disclosure timeline revealed a concerning pattern. LayerX reported findings on August 27-28, 2025, claiming Perplexity classified them as having "no security impact." Brave reported the screenshot vulnerability on October 1, 2025, and publicly disclosed details on October 21, 2025, after Perplexity allegedly dismissed earlier reports. The dismissal of researcher reports even when they showed working data exfiltration raised transparency concerns.

Perplexity processed 780 million queries monthly as of May 2025, representing over 20% month-over-month growth, according to the company's internal metrics. This query volume provided a substantial user base for potential browser adoption. The rapid growth occurred while fundamental security issues remained unresolved.

The security challenges facing Comet and other agentic browsers represent systemic issues rather than isolated bugs. Prompt injection vulnerabilities affect the entire category of AI-powered browsers that can take actions on behalf of users. The technology offers powerful capabilities but introduces risks that traditional browsers do not face because AI agents operate with full user privileges across authenticated sessions.

For the marketing community, these security vulnerabilities matter because they affect trust in AI-powered tools and raise questions about data privacy in advertising-funded models. Perplexity's stated intention to track user habits across the web for "hyper personalized" advertising means security vulnerabilities could expose not just personal data but also browsing patterns and commercial information valuable to advertisers.

The incident demonstrates the tension between innovation in AI-powered tools and the security infrastructure needed to protect users. While multiple respected security firms including Brave, LayerX, Guardio, and enterprise chief information security officers raised concerns about data exfiltration, prompt injection, and credential theft, the lack of clear communication from Perplexity about current security status and remediation plans left users without sufficient information to assess risks.

Timeline

• July 2, 2025: Perplexity launches Max subscription tier at $200 monthly
• July 9, 2025: Perplexity launches Comet browser initially for Max subscribers
• July 13, 2025: Perplexity acquires OS.ai domain to build AI operating system
• August 20, 2025: Brave Security Team reports indirect prompt injection vulnerabilities in Comet
• August 20, 2025: Brave discovers prompt injection vulnerability in Fellou browser
• August 27-28, 2025: LayerX Security reports CometJacking vulnerability to Perplexity; company allegedly responds with "no security impact"
• August 26, 2025: Anthropic launches Claude for Chrome extension as research preview with security mitigations
• October 1, 2025: Brave discovers screenshot-based prompt injection vulnerability in Comet
• October 2, 2025: Perplexity releases Comet browser globally at no cost after three-month limited rollout
• October 2, 2025: Brave sends public disclosure notice to Perplexity
• October 21, 2025: Brave publicly discloses vulnerability details for Comet and Fellou browsers
• October 21, 2025: OpenAI launches ChatGPT Atlas browser raising similar security concerns
• October 22, 2025: Perplexity Security Team publishes blog post acknowledging prompt injection remains unsolved industry-wide problem

Summary

Who: Multiple security research organizations including Brave Security Team (Artem Chaikin and Shivan Kaul Sahib) and LayerX Security discovered vulnerabilities in Perplexity's Comet browser. Perplexity AI developed and released the browser to millions of users.

What: Critical security vulnerabilities in Comet browser allow indirect prompt injection attacks through hidden webpage content, malicious URLs, and screenshot manipulation. Attackers can steal credentials, one-time passwords, emails, calendar data, and connected service information. The vulnerabilities stem from the browser's inability to distinguish between trusted user instructions and untrusted web content.

When: Vulnerabilities were discovered and reported between August 20 and October 1, 2025. Brave initially reported issues on August 20, 2025. LayerX reported CometJacking on August 27-28, 2025. Brave discovered additional screenshot vulnerabilities on October 1, 2025, and publicly disclosed details on October 21, 2025. Perplexity released a statement on October 22, 2025.

Where: The vulnerabilities affect Comet browser across all platforms where it operates. Perplexity released Comet globally on October 2, 2025, after initially limiting access to $200-per-month Max subscribers starting July 9, 2025. The security research was conducted by Brave Software and LayerX Security.

Why: The security vulnerabilities matter because agentic browsers operate with full user privileges across authenticated sessions, accessing banks, email, healthcare providers, and corporate systems. Comet requires extensive permissions to view screens, send emails, access contacts, and modify calendar events. Combined with Perplexity's stated intention to track users across the internet for advertising purposes, the security flaws create significant risks for data privacy and credential theft. The fundamental architectural challenge of maintaining clear boundaries between trusted and untrusted content while allowing powerful AI actions on behalf of users remains unsolved across the industry.