Brave disclosed a prompt injection vulnerability in Perplexity's Comet AI browser, saying malicious text embedded in webpages can trigger actions that affect other open tabs. According to Brave, technical details are available in its official write-up.
Perplexity Comet browser vulnerable to prompt injection exploit
Brave reported that Comet processes webpage content during summarization without filtering untrusted instructions. The browser feeds part of the page directly to its LLM, enabling indirect prompt injection.
Brave added that Comet does not distinguish between user instructions and webpage content. Attackers can embed malicious prompts that the AI interprets as commands, which Brave says may affect data in other open tabs.
Key details
- Disclosing party: Brave via an official blog post.
- Affected product: Perplexity's Comet AI browser.
- Trigger: The "Summarize this webpage" feature that reads page content into the LLM.
- Mechanism: Comet passes page text to the model without separating user intent from page content.
- Attack method: Indirect prompt injection payloads embedded within webpage content.
- Potential impact: model-triggered actions that can affect data in other open tabs.
“An attacker could gain access to a user's emails from a prepared piece of text in a page in another tab,” Brave wrote.
Background context
Comet includes an AI assistant that summarizes webpages and answers user prompts inside the browser. The assistant reads page content to generate responses for the user.
Indirect prompt injection involves malicious instructions hidden in content that LLMs process. If models ingest such content without separating it from user directives, attacks can trigger unintended actions. Brave described this risk in Comet's summarization workflow.
Sources and further reading
- Brave disclosure
- Independent analysis: Simon Willison's post
- Community demo: a developer posted a real-world example.
.svg)
.svg)
.svg)