Brave Discovers Security Vulnerability in Perplexity Comet

Brave announced that it has discovered a security vulnerability in Perplexity’s AI web browser, Comet. It reported the issue to Perplexity previously, which fixed the issue.

“While looking at Comet, we discovered vulnerabilities which we reported to Perplexity, and which underline the security challenges faced by agentic AI implementations in browsers,” Brave’s Artem Chaikin and Shivan Kaul Sahib write. “The attack demonstrates how easy it is to manipulate AI assistants into performing actions that were prevented by long-standing Web security techniques, and how users need new security and privacy protections in agentic browsers.”

Brave is working on agentic AI capabilities for its own browser, the pair admit, and this work will eventually allow Brave’s AI, Leo, to “browse the web on your behalf, acting as your agent.” But Brave will implement this in a way that preserves its privacy guarantees and “robust security guardrails.” But this was why the company started looking at the competition, to see how they handled the privacy and security issues inherent in agentic web browsing. And they quickly found that there’s a lot of work that needs to be done.

The Comet vulnerability that Brave disclosed is tied to how that browser processes webpage content when the user asks for a summary, a fairly basic AI browser feature.

“Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage,” Brave explains. “This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab … This attack is an example of an indirect prompt injection: the malicious instructions are embedded in external content (like a website or a PDF) that the assistant processes as part of fulfilling the user’s request.”

Brave offers a video demonstration of the problem, which can allow an attacker to take over the user’s Perplexity account by exfiltrating their email address and OTP (one-time password) when they authenticate. The attack is indirect in interaction and browser-wide in scope. And Brave says it highlights that the industry needs new security and privacy architectures for agentic browsing. So it has created a preliminary list of possible mitigations.

Brave reported this issue to Perplexity on July 25. The company implemented an initial fix two days later and then a more complete fix after another day. Brave then told Perplexity that it would go public in one week on August 11, and confirmed that the Perplexity patch fixed the issue on August 13.

“A safer web is good for everyone,” Brave says. “As we saw, giving an agent authority to act on the Web, especially within a user’s authenticated context, carries significant security and privacy risks. Our goal with this research is to surface those risks early and demonstrate practical defenses. This helps Brave, Perplexity, other browsers, and (most importantly) all users.”