Overview

• Brave detailed an indirect prompt-injection exploit where hidden text in a Reddit post led Comet’s AI to fetch a one-time password from Gmail and post it back publicly.
• Perplexity was notified in July and issued a rapid fix, but Brave’s retesting reported the mitigation was incomplete, while Perplexity told Decrypt it had been patched with no user data compromised.
• The flaw stems from failing to separate user instructions from untrusted webpage content, giving the AI agent latitude to act with the user’s full logged-in privileges across services.
• Brave says traditional web controls like same-origin policy and CORS do not block these model-level instruction attacks and recommends context separation, explicit user confirmation for sensitive actions, and isolated agent sessions.
• Coverage notes no confirmed real-world exploitation in the reports, and contrasts Comet’s design with approaches that constrain agent access, such as OpenAI’s cloud-isolated agents and Google’s product-level integrations.