Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet

Summary

This is the first post in a series about security and privacy challenges in agentic browsers. This vulnerability research was conducted by Artem Chaikin (Senior Mobile Security Engineer), and was written by Artem and Shivan Kaul Sahib (VP, Privacy and Security). The threat of instruction injection At Brave, we’re developing the ability for our in-browser AI assistant Leo to browse the Web on your behalf, acting as your agent. Instead of just asking “Summarize what this page says about London flights”, you can command: “Book me a flight to London next Friday.” The AI doesn’t just read, it browses and completes transactions autonomously. This will significantly expand Leo’s capabilities while preserving Brave’s privacy guarantees and maintaining robust security guardrails to protect your data and browsing sessions. This kind of agentic browsing is incredibly powerful, but it also presents significant security and privacy challenges. As users grow comfortable with AI browsers and begin trusting them with sensitive data in logged in sessions—such as banking, healthcare, and other critical websites—the risks multiply. What if the model hallucinates and performs actions you didn’t request? Or worse, what if a benign-looking website or a comment left on a social media site could steal your login credentials or other sensitive data by adding invisible instructions for the AI assistant? To compare our implementation with others, we examined several existing solutions, such as Nanobrowser and Perplexity’s Comet. While looking at Comet, we discovered vulnerabilities which we reported to Perplexity, and which underline the security challenges faced by agentic AI implementations in browsers. The attack demonstrates how easy it is to manipulate AI assistants into performing actions that were prevented by long-standing Web security techniques, and how users need new security and privacy protections in agentic browsers. The vulnerability we’re discussing in this post lies in how Co...