Perplexity’s Comet AI browser had a major security flaw

Perplexity's AI-driven web browser, Comet, has been found to contain a significant security vulnerability that could expose sensitive user data, including emails and banking passwords, to malicious actors. This flaw arises from a method known as indirect prompt injection, which poses a serious threat to user privacy and data security. Comet is part of a new generation of AI-based browsers that utilize large language models (LLMs) to perform various tasks on behalf of users, such as summarizing web pages, managing tabs, and answering questions related to the content displayed. However, a recent investigation by Brave, a competitor in the browser market, revealed critical weaknesses in how Comet handles webpage summarization requests. When users click the “Summarize this webpage” button, Comet inadvertently feeds portions of the webpage directly into its LLM without adequately separating user instructions from potentially harmful content. This lack of distinction opens the door for attackers to embed covert prompts within webpages, whether through concealed text on their own sites or even on social media platforms like Facebook and Reddit. As a result, Comet's LLM may interpret these prompts as legitimate user commands. Brave's researchers highlighted the dangers of this vulnerability, noting that traditional security mechanisms like the same-origin policy (SOP) and cross-origin resource sharing (CORS) are ineffective against such attacks. Unlike conventional web vulnerabilities that usually target single sites, this issue allows cross-domain access through straightforward, natural language instructions embedded within webpages. The implications of this flaw are alarming; attackers could manipulate the AI to perform unauthorized actions that users never intended. In a demonstration, Brave illustrated how a malicious actor could exploit Comet to access a user's Perplexity account. This could involve extracting personal emails, requesting one-time passwords (OTPs), and logging into Gmail to retrieve those OTPs. Moreover, the vulnerability presents the potential for even more severe breaches, such as accessing banking information, retrieving saved passwords, or sending confidential data to servers controlled by the attacker. Despite notifying Perplexity about the vulnerability on August 11, Brave reported that the issue remained unaddressed as of their blog post on August 20. However, Perplexity has since confirmed that the vulnerability has been resolved. Jesse Dwyer, head of communications at Perplexity, assured CNET that they have a robust bounty program and collaborated directly with Brave to identify and rectify the flaw.