- Hidden AI prompts could have exposed user emails and logins
- Brave researchers warned of risks to business and personal accounts
- Perplexity issued a fix but doubts remain about its effectiveness
Vulnerability in Comet’s AI assistant
Security researchers at Brave have revealed a flaw in Perplexity AI’s Comet browser that may have allowed hackers to access user data, including email addresses and login credentials. The issue was linked to the way Comet’s built-in AI assistant processed web content.
Unlike traditional browsers, Comet enables users to ask its assistant to summarise or complete tasks on webpages. Brave found that this feature could be manipulated through a method known as indirect prompt injection, where hidden commands are embedded in otherwise harmless text such as social media comments or web pages.
How attackers could exploit the bug
In one test, Brave created a Reddit post with hidden text inside a spoiler tag. When Comet’s “Summarise this page” feature was used, the AI assistant read the hidden content as well as the visible post. The malicious instructions directed the assistant to visit Perplexity’s account page, retrieve the user’s email, then access Gmail to extract a one-time password. This could give attackers full control of the account.
Brave highlighted that these attacks bypass long-standing web security measures. Because the AI acts with the same privileges as the user, attackers could potentially reach sensitive data such as emails, corporate systems, or even banking accounts.
Perplexity’s response and remaining risks
Perplexity confirmed it had fixed the issue and credited Brave for its disclosure. The company noted its security bounty programme helped address the problem quickly. However, Brave reported that its follow-up testing suggested the fix may not be complete, and it has raised the issue again with Perplexity.
Why this matters for businesses
The case underscores a growing concern: AI assistants integrated into browsers or workplace tools can be exploited in new ways. Unlike traditional hacking, which often requires coding expertise, these attacks may only involve embedding natural language instructions into web content.
For businesses, this presents a real risk. Employees using AI-powered browsing could inadvertently expose company accounts or data by interacting with compromised pages. Brave’s security leaders recommended stricter safeguards, such as requiring explicit user approval before actions like sending emails, and keeping high-privilege AI features separate from casual browsing.
The bigger picture
As AI adoption grows across business software and productivity tools, security risks are evolving rapidly. The Comet browser case shows that indirect prompt injections are not theoretical but practical and potentially damaging.
Brave, which is developing its own AI assistant called Leo, stressed that privacy and security must be built into AI systems from the start. For IT leaders, the incident is a reminder to stay vigilant, review employee use of AI tools, and adapt security policies to account for these emerging threats.
