Agentic Browser Security

Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet

Authors: Artem Chaikin (Senior Mobile Security Engineer at Brave), Shivan Kaul Sahib (VP, Privacy and Security at Brave)
Source: https://brave.com/blog/comet-prompt-injection/#the-threat-of-instruction-injection

Summary

Researchers at Brave Browser investigated Nanobrowser and Perplexity’s Comet in comparison to their own Agentic Web Browser, Leo and discovered several vulnerabilities underlining the security challenges faced by agentic AI implementations in browsers.*

Takeaways

Comet (by Perplexity), Nanobrowser, and Leo (by Brave) were some Agentic Web Browsers specifically mentioned in this article, but the content solely focuses on a vulnerability ^[1] found by the researchers on Comet.
How was the vulnerability found? As explained by the researchers,

When users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands.

prompt injection - a trick where someone inserts carefully crafted input in the form of an ordinary conversation or data, to nudge or outright force an AI into doing something it wasn’t meant to do. ^[2]
indirect prompt injection - the malicious instructions are embedded in external content (like a website, or a PDF) that the assistant processes as part of fulfilling the user’s request.
An example video demonstrating the proof-of-concept experiment is added, showing how a post on Reddit with a comment hidden as spoilers is able to inject a malicious prompt into Perplexity's Comet

When an AI assistant follows malicious instructions from untrusted webpage content, traditional protections such as same-origin policy (SOP) or cross-origin resource sharing (CORS) are all effectively useless. The AI operates with the user’s full privileges across authenticated sessions, providing potential access to banking accounts, corporate systems, private emails, cloud storage, and other services.

Possible mitigations:
- The browser should distinguish between user instructions and website content, with the browser treating the website content as untrusted content by default
- The model’s outputs should be checked for user-alignment
- Security and privacy sensitive actions should require user interaction - confirm actions that may induce security and privacy risks to be double-checked by a user before proceeding
- The browser should isolate agentic browsing from regular browsing - interactions should be as minimal as possible

According to the definition of SentinelOne, vulnerabilities in the context of cybersecurity are "weaknesses that can be exploited by attackers to compromise systems and data." ↩︎
Source: https://www.malwarebytes.com/blog/news/2025/08/ai-browsers-could-leave-users-penniless-a-prompt-injection-warning ↩︎