ZDNET’s key takeaways
- Perplexity’s Comet browser might expose your personal knowledge.
- An attacker might add instructions to the immediate through a malicious web site.
- The AI ought to deal with consumer knowledge and web site knowledge individually.
Get extra in-depth ZDNET AI protection: Add us as a most popular Google supply on Chrome and Chromium browsers.
Agentic AI browsers are a scorching new pattern on the planet of AI. As an alternative of you having to browse the online your self to finish particular duties, you inform the browser to ship its agent to hold out your mission. However relying on which browser you utilize, you might be opening your self as much as safety dangers.
In a weblog submit revealed Wednesday, the oldsters behind the Courageous browser (which provides its personal AI-powered assistant dubbed Leo) pointed their collective fingers at Perplexity’s new Comet browser. At the moment out there for public obtain, Comet is constructed on the premise of agentic AI, promising that your want is its command.
Additionally: Why Perplexity goes after Google Chrome – and sure, it is severe
Do you must choose up a brand new provide of your favourite protein drink at Amazon? As an alternative of doing it your self, simply inform Comet to do it for you.
OK, so what is the beef? First, there is definitely a possibility for errors. With AI being so susceptible to errors, the agent might misread your directions, take the incorrect step alongside the best way, or carry out actions you did not specify. The challenges multiply if you happen to entrust the AI to deal with private particulars, akin to your password or cost info.
However the greatest danger lies in how the browser processes the immediate’s contents, and that is the place Courageous finds fault with Comet. In its personal demonstration, Courageous confirmed how attackers might inject instructions into the immediate via malicious web sites of their very own creation. By failing to tell apart between your individual request and the instructions from the attacker, the browser might expose your private knowledge to compromise.
Additionally: Learn how to eliminate AI Overviews in Google Search: 4 straightforward methods
“The vulnerability we’re discussing in this submit lies in how Comet processes net web page content material,” Courageous mentioned. “When customers ask it to ‘Summarize this net web page,’ Comet feeds part of the online web page on to its LLM with out distinguishing between the consumer’s directions and untrusted content material from the online web page. This enables attackers to embed oblique immediate injection payloads that the AI will execute as instructions. As an illustration, an attacker might achieve entry to a consumer’s emails from a ready piece of textual content in a web page in one other tab.”
Thus far, there are not any identified examples of such assaults within the wild.
Courageous mentioned the assault demonstrated in Comet reveals that conventional net safety is not sufficient to guard individuals when utilizing agentic AI. As an alternative, such brokers want new sorts of safety and privateness. With that aim in thoughts, Courageous beneficial that a number of measures be carried out.
The browser ought to distinguish between consumer directions and web site content material. The browser ought to separate the requests submitted by a consumer on the immediate from the content material delivered at a web site. With a malicious website at all times a risk, this content material ought to at all times be handled as untrusted.
The AI mannequin ought to be sure that duties align with the consumer’s request. Any actions submitted to the immediate needs to be checked towards these submitted by the consumer to make sure alignment.
Additionally: Scammers have infiltrated Google’s AI responses – find out how to spot them
Delicate safety and privateness duties ought to require consumer permission. The AI ought to at all times require a response from the consumer earlier than working any duties that have an effect on safety or privateness. For instance, if the agent is informed to ship an e-mail, full a purchase order, or log in to a website, it ought to first ask the consumer for affirmation.
The browser ought to isolate agentic shopping from common shopping. Agentic shopping mode carries some dangers, because the browser can learn and ship emails or view delicate and confidential knowledge on a web site. For that motive, agentic shopping mode needs to be a transparent alternative, not one thing the consumer can entry unintentionally or with out data.
With Courageous discovering fault with Comet, how has Perplexity responded? Right here, I am simply going to share the timeline of occasions as described by Courageous.
- July 25, 2025: Vulnerability found and reported to Perplexity.
- July 27, 2025: Perplexity acknowledged the vulnerability and carried out an preliminary repair.
- July 28, 2025: Retesting revealed the repair was incomplete; extra particulars and feedback have been offered to Perplexity.
- August 11, 2025: One-week public disclosure discover despatched to Perplexity.
- August 13, 2025: Ultimate testing confirmed the vulnerability seems to be patched.
- August 20, 2025: Public disclosure of vulnerability particulars (Replace: on additional testing after this weblog submit was launched, we discovered that Perplexity nonetheless hasn’t totally mitigated the sort of assault described right here. We have re-reported this to them.)
Now, the ball is again in Perplexity’s courtroom. I contacted the corporate for remark and can replace the story with any response.
Additionally: The very best safe browsers for privateness: Professional examined
“This vulnerability in Perplexity Comet highlights a basic problem with agentic AI browsers: making certain that the agent solely takes actions which are aligned with what the consumer needs,” Courageous mentioned. “As AI assistants achieve extra highly effective capabilities, oblique immediate injection assaults pose severe dangers to net safety.”
