Overview

• Brave reports that a July fix from Perplexity did not fully address a flaw that lets webpage content issue hidden instructions to Comet’s AI assistant.
• The vulnerability stems from Comet mixing user requests with untrusted page text when summarizing, enabling indirect prompt injection.
• In a recorded test, a concealed Reddit prompt directed the agent to open Gmail and exfiltrate a one-time password, then disclose it publicly.
• Because the agent operates with the user’s authenticated privileges, researchers warn it could reach emails, financial accounts, corporate resources, and cloud data.
• Brave recommends separating user commands from page context and requiring confirmation for sensitive actions, noting SOP and CORS do not block these attacks; no real-world exploitation has been confirmed.