Cybersecurity experts have unveiled details of a new cyber attack known as CometJacking that targets Perplexity’s agentic AI browser Comet by embedding malicious prompts in a seemingly harmless link to extract sensitive data, including from connected services such as email and calendar.
The deceptive prompt injection attack operates by using a malicious link that, when clicked, initiates unexpected actions without the victim’s knowledge.
“CometJacking illustrates how a single, weaponized URL can surreptitiously transform an AI browser from a trusted assistant to an internal threat,” stated Michelle Levy, Head of Security Research at LayerX.
“This isn’t just about data theft; it’s about seizing control of the agent that already holds the keys. Our research demonstrates that simple obfuscation techniques can bypass data protection measures and extract email, calendar, and connector data in a single click. AI-native browsers require security measures designed for agent prompts and memory access, not just page content.”
The attack essentially manipulates the AI assistant within the browser to extract data, while evading Perplexity’s data protection measures through simple Base64-encoding techniques. Notably, the attack does not involve stealing credentials since the browser already has authorized access to Gmail, Calendar, and other linked services.
The attack unfolds in five stages, triggered when a user clicks on a specially crafted URL, either delivered via a phishing email or present on a webpage. Instead of redirecting the user to the intended destination, the URL directs the Comet browser’s AI to execute a hidden prompt that captures the user’s data from platforms like Gmail, encodes it using Base64, and sends it to a destination controlled by the attacker.
The malicious URL is constructed as a query string aimed at the Comet AI browser, with the malicious command embedded using the “collection” parameter of the URL, causing the agent to retrieve data from its memory instead of conducting a live web search.
Although Perplexity has downplayed the significance of these findings in terms of security implications, they once again underscore the new security risks introduced by AI-native tools that can circumvent traditional defenses, enabling malicious actors to manipulate them for their own purposes and potentially leading to data breaches.
In August 2020, Guardio Labs unveiled a similar attack technique called Scamlexity, demonstrating how browsers like Comet could be manipulated by threat actors to interact with phishing pages or fake online stores without the user’s knowledge or intervention.
“AI browsers represent the next battleground for enterprises,” commented Or Eshed, CEO of LayerX. “When an attacker can control your assistant through a link, the browser becomes a command center within the organization’s perimeter. Companies must urgently implement controls that can detect and thwart malicious agent prompts before these proof-of-concepts evolve into widespread campaigns.”
