Overview

• Guardio Labs detailed a prompt-injection method called PromptFix that hides attacker instructions in elements like fake CAPTCHAs to make AI agents click invisible buttons and trigger downloads.
• Tests on Perplexity’s Comet showed the agent could add items to a cart on a fake Walmart site and autofill saved address and credit card data to complete checkout without seeking confirmation.
• Researchers also showed Comet opening a phishing link from a spoofed Wells Fargo email and guiding the user to submit credentials on a fraudulent login page, short-circuiting normal human scrutiny.
• Brave said it discovered a related Comet vulnerability, reported it, and believes a fix was applied on August 13, though it noted Comet is closed source and later testing suggested the mitigation may be incomplete.
• Security firms warn that agentic AI introduces a scalable attack surface they call “Scamlexity,” and advise against granting AI agents access to stored credentials or payment data, with researchers adding that reliance on tools like Google Safe Browsing is insufficient.