Indirect Prompt InjectionHigh

Perplexity Comet AI browser indirect prompt injection

August 2025  ·  Perplexity Comet (AI browser)

What happened

Brave's security team showed that Comet's agentic browsing could be hijacked by instructions hidden in webpage content, including a malicious Reddit post and invisible text, letting attackers reach the user's logged-in accounts and one-time passwords. Guardio separately showed it would complete phishing flows and hand over banking details without warning.

Root cause

The agent processed page content as trusted instructions while acting with the user's authenticated browser session, so any visited page became an injection surface with real account access.

Fix / outcome

Perplexity shipped mitigations after disclosure, but researchers demonstrated follow-on bypasses. Agentic browsing remains an open problem.

Sources

Brave Security (discoverer)

Learn this attack class

This incident is an example of Indirect Prompt Injection. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database