Researchers traced significant security issues with Perplexity’s AI-powered browser, Comet, putting the personal data of users at risk. As per the privacy-focused search and browsing facility provider Brave, cyber attackers can access and retrieve user data from Comet browser easily through prompt injection.
While failing to differentiate between content on a webpage and instructions given by users and attackers, agentic browsers like Comet can end up exposing user information, including name, email address, location, etc., to attackers.
Though Perplexity has claimed to have fixed the vulnerability while directly collaborating with Brave, the incident has highlighted major security risks that AI-powered agentic browsers can impose.
Vulnerabilities of Perplexity’s Comet AI Browser
While executing research on the security and privacy of agentic browsers, Brave recently tested Perplexity’s Comet AI browser. The firm has found major security vulnerabilities where attackers can easily manipulate AI-powered browsers and access sensitive user data.
For testing purposes, Brave took it to a Reddit page with hidden texts or malicious instructions and asked Comet to ‘Summarize the current webpage’. Alongside other content on the page, Comet AI assistant starts detecting and processing hidden texts. The instructions included extracting the email address of the user that they used to manage their Perplexity account, logging in to the email address, receiving OTP, and retrieving both the email address and the OTP.
These instructions serve as a prompt injection method, allowing attackers to learn not only about users’ email addresses and OTPs but also to easily use the account for malicious purposes.
Brave explained the security flaw, “The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.”
Brave posted on X, “We recently found, and disclosed, a concerning flaw in Perplexity’s Comet browser that put users’ accounts and other sensitive info in danger.”
Brave’s Mitigatory Methods for Perplexity:
After discovering Comet’s security flaw, Brave shared specific suggestions to Perplexity while addressing the vulnerability. Following the possible mitigations-
- The browser should be able to differentiate between content on the webpage and user instructions.
- The browser model should assess the alignment of user intent and AI actions.
- The browser should confirm or seek approval before security and privacy-focused tasks, such as sending an email.
- The browser should maintain a clear boundary between agentic and regular browsing contexts.
Perplexity’s Reaction:
Perplexity acknowledged the vulnerability discovered by Brave and initiated initial fixes. Afterward, the company stated, “The vulnerability is fixed. We worked directly with Brave to identify and repair the vulnerability”. Instead of the assurance, Brave continued testing for further vulnerability assessment and evaluated the mitigation strategies.
Why does this Matter for Users?
Comet embraces a shift from a traditional browsing experience, integrating AI capabilities. It not only enhanced user experience but also offers effective search results. Users are increasingly adopting technologies that offer high efficiency and a superior user experience.
However, the recent security-related incidents are an alarming reminder of how using AI-powered browsers and tools can increase data privacy threats. Hence, being cautious and staying alert while sharing personal information with AI tools.
Check out our latest news and stay aligned with the evolving cybersecurity space!
Also Read: What is Perplexity AI Model? Is Perplexity AI Better than ChatGPT?
