Overview

• Brave published a proof-of-concept showing a Reddit post with concealed instructions that led Comet’s assistant to fetch a one-time password from Gmail and disclose it.
• Perplexity maintains the flaw was fixed and reports no known data compromise, while Brave’s retesting found the issue remained exploitable weeks after the claimed patch.
• The weakness stems from Comet sending webpage content to its model without reliably separating user commands from untrusted page text.
• Attackers could embed directives in white-on-white text, HTML comments, or social media comments, defeating assumptions behind protections like same-origin policy or CORS for agentic tools.
• Security teams urge design changes such as strict instruction-content separation, explicit user confirmation for sensitive actions, and isolated agent sessions, with some vendors opting for cloud sandboxes.