A severe vulnerability discovered by Brave in Perplexity’s AI-powered browser, Comet, has exposed a fundamental flaw not just in Comet but in the broader class of agentic browsers. This isn’t a mere bug - it’s a systemic issue that could redefine the risks of integrating AI into web browsing.
The Attack Explained
The exploit is alarmingly simple yet devastating. Malicious actors can embed hidden instructions for the AI directly within a webpage’s content - think white text on a white background, HTML comments, or even Reddit threads.
When a user clicks “Summarize this page,” the AI fails to distinguish between legitimate content and malicious commands, blindly executing everything.
Brave demonstrated the attack with a chilling proof-of-concept:
- A user opens a Reddit post containing malicious instructions hidden behind a spoiler tag.
- The user asks Comet to summarize the page.
- The AI processes the hidden commands and:
- Navigates to `perplexity.ai./account` (with a dot to bypass security measures).
- Accesses the user’s Gmail to retrieve an OTP code.
- Sends the email and OTP back to a Reddit comment.
The result? The user’s account is compromised without any additional interaction.
Why This Matters
This vulnerability exposes a critical weakness in AI-driven browsers: they operate with the same privileges as the user, accessing all active, logged-in sessions - bank accounts, email, corporate systems, you name it. Traditional web security mechanisms like Same-Origin Policy (SOP) or CORS are powerless here, as the AI is trusted to act on the user’s behalf. This creates a new attack surface that conventional defenses aren’t equipped to handle.
Potential Solutions
To mitigate such risks, developers must rethink how AI browsers handle content and user privileges.
Here are some actionable steps:
- Separate User Instructions from Page Content: Treat all page content as untrusted and isolate it from the AI’s command pipeline.
- Validate AI Actions: Ensure the AI’s actions align strictly with the user’s explicit request, rejecting unrelated or suspicious commands.
- Require Explicit Confirmation: Mandate user approval for sensitive actions like sending emails or accessing financial accounts.
- Isolate Agentic Mode: Restrict powerful AI features to an explicitly activated mode, separate from standard browsing sessions.
The Aftermath
Brave reported the issue to Perplexity in July, and a public fix was released a month later. However, subsequent analysis revealed that the patch was incomplete, leaving lingering vulnerabilities. This incident underscores a broader truth: granting AI full access to a browser with active user sessions is a ticking time bomb for cyberattacks.
Also read:
- QUA Сrypto Buyback - October 2025
- Clippers: The New UGC, Scaled by x1000
- Wikipedia’s Decline: AI and Social Media Take Over
- Gas Rules America, Not What You Thought: It’s Gas
The Bigger Picture
As AI becomes more integrated into our digital lives, the stakes are skyrocketing. Agentic browsers, while powerful, introduce unprecedented risks that demand new security paradigms. Classical approaches to web security are no longer enough. The industry must act swiftly to design robust safeguards, or we risk opening the door to a new era of sophisticated, AI-driven cyberattacks.
