Brave Reports Reveals that Perplexity Comet Vulnerability Compromised User Data to Hackers

Brave Software has identified a security vulnerability in Perplexity AI’s Comet browser, which demonstrated how malicious users could deceive its AI assistant into revealing private user information.

In a proof-of-concept demo released on August 20, Brave researchers discovered concealed instructions within a Reddit comment. When asked to summarize the page, Comet’s AI assistant not only summarized but also executed the hidden commands.

Perplexity contested the severity of this finding. A representative told Decrypt that the issue “was addressed before it was noticed” and asserted that no user data was compromised. “We maintain a robust bounty program,” the spokesperson added. “We collaborated directly with Brave to identify and rectify this.”

Brave emphasized that the flaw continued to be exploitable weeks post-patch and contended that Comet’s architecture renders it susceptible to further attacks.

Brave indicated that the vulnerability arises from how agentic browsers like Comet handle web content. “When users request a page summary, Comet relays parts of that page directly to its language model without differentiating between user instructions and untrusted content,” the report outlined. “This allows attackers to embed hidden commands that the AI will execute as if they originated from the user.”

Prompt injection: a longstanding concept, a new target

This exploit is categorized as a prompt injection attack. Rather than deceiving a human, it misleads an AI system by embedding instructions in clear text.

“It’s analogous to traditional injection attacks—SQL injection, LDAP injection, command injection,” Matthew Mullins, lead hacker at Reveal Security, informed Decrypt. “The concept isn’t novel, but the approach is distinct. You’re exploiting natural language rather than structured code.”

Security experts have been issuing warnings for several months, cautioning that prompt injection could evolve into a significant challenge as AI systems acquire greater autonomy. In May, Princeton researchers demonstrated how crypto AI agents might be influenced using “memory injection” attacks, where harmful information is stored in an AI’s memory and later acted upon as if it were legitimate.

Even Simon Willison, the developer credited with coining the term prompt injection, expressed that the issue extends far beyond Comet. “The Brave security team uncovered serious prompt injection vulnerabilities, but Brave itself is developing a similar feature that likely faces comparable issues,” he posted on X.

Shivan Sahib, Brave’s vice president of privacy and security, stated that their forthcoming browser will incorporate “a collection of mitigations to lessen the risk of indirect prompt injections.”

“We’re planning to isolate agentic browsing into a distinctive storage area and session, so users don’t inadvertently grant access to their banking and other sensitive data to the agent,” he communicated to Decrypt. “More details will be shared soon.”

The larger threat

The Comet demonstration underscores a wider issue: AI agents are being implemented with extensive permissions yet inadequate security measures. Because large language models can misconstrue directives—or take them too literally—they are particularly susceptible to concealed prompts.

“These models can hallucinate,” Mullins cautioned. “They can go entirely off course, like when asked, ‘What’s your favorite flavor of Twizzler?’ and instead providing instructions for constructing a homemade weapon.”

With AI agents being granted direct access to emails, files, and active user sessions, the risks are elevated. “Everyone is eager to integrate AI into everything,” Mullins observed. “But nobody is evaluating what permissions the model possesses or what transpires in the event of a data breach.”