Perplexity’s Comet AI browser had a major security flaw that put users’ emails, passwords and banking data at risk

Perplexity's AI-based web browser Comet suffered from a major vulnerability that potentially allowed bad actors to gain access to sensitive user data, such as emails, banking passwords, and other details, through a technique called indirect prompt injection.

Notably, Comet is among a slew of new-age, AI-based browsers that use large language models in order to follow tasks autonomously on a user's behalf. Using its built-in AI, the browser is capable of completing tasks like summarizing web pages, emails, calendar events, managing tabs, and even answering questions about the content on their screen.

However, new research by Brave, a rival browser company, has found a vulnerability in how Comet processes webpage-summarization requests. The researchers say that when a user clicks “Summarize this webpage,” Comet feeds a part of the webpage directly into its LLM without distinguishing between the user's instruction and untrusted content from the webpage, and this opens up the browser for indirect prompt injection.

Essentially, attackers could embed indirect prompts inside of webpages, like white text on a website they own, or content on even social media websites like Facebook and Reddit, and Comet's LLM may treat those indirect cues as if the user had actually asked for those instructions.

“When an AI assistant follows malicious instructions from untrusted webpage content, traditional protections such as same-origin policy (SOP) or cross-origin resource sharing (CORS) are effectively useless,” the Brave researchers explained.

“Unlike traditional web vulnerabilities that typically affect individual sites or require complex exploitation, this attack enables cross-domain access through simple, natural language instructions embedded in websites,” they added.

This vulnerability lets attackers trick the AI into fulfilling actions that the users never requested. In a demo video, Brave showed how attackers could have used Comet to easily gain access to a user's Perplexity account by asking the AI to extract the user's personal email, request an OTP from the company, and log into Gmail to access that OTP.

The researchers further state that the vulnerability in Comet could have been exploited to complete tasks like gaining access to a user's banking data, extracting saved passwords, or sending sensitive information directly to an attacker-controlled server.

The Brave blog post states that despite informing Perplexity of the vulnerability on 11 August, it had not been fixed by the time of the blog post's publication on 20 August.

The AI search startup, in a statement to CNET, has indeed confirmed that the issue has been resolved.

Jesse Dwyer, Perplexity's head of communications, told the publication, “This vulnerability is fixed…We have a pretty robust bounty program, and we worked directly with Brave to identify and repair it.”