Cybersecurity researchers uncovered **CometJacking**, a novel **prompt injection attack** targeting Perplexity’s AI-powered browser, **Comet**. The attack exploits a malicious URL to hijack the embedded AI assistant, siphoning sensitive data—including emails, calendars, and connected services—without requiring credential theft, as the browser already has authorized access. The attack leverages **Base64 obfuscation** to bypass Perplexity’s data exfiltration protections, transmitting stolen information to an attacker-controlled endpoint in a single click. The technique weaponizes the **‘collection’ URL parameter**, tricking the AI into executing hidden prompts that extract data from the user’s linked accounts (e.g., Gmail). While Perplexity dismissed the findings as having **‘no security impact’**, the attack demonstrates how AI-native tools can **circumvent traditional defenses**, turning trusted assistants into insider threats. Researchers warn this could enable large-scale data theft if exploited in phishing campaigns, particularly in enterprise environments where AI browsers are integrated. The attack mirrors prior techniques like **Scamlexity** (2020), where browsers were manipulated into interacting with phishing pages autonomously. Experts emphasize the urgent need for **security-by-design** in AI agents to prevent prompt-based exploits from becoming widespread threats.
Source: https://thehackernews.com/2025/10/cometjacking-one-click-can-turn.html
TPRM report: https://www.rankiteo.com/company/perplexity-ai
"id": "per1592715100425",
"linkid": "perplexity-ai",
"type": "Cyber Attack",
"date": "6/2020",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'AI/ML, Search & Browser Services',
'name': 'Perplexity AI',
'type': 'Technology Company'}],
'attack_vector': ['Malicious URL', 'Phishing Email', 'Web Page'],
'data_breach': {'data_encryption': ['Bypassed via Obfuscation (Base64)'],
'data_exfiltration': ['Base64-Encoded Data Transmitted to '
'Attacker-Controlled Endpoint'],
'personally_identifiable_information': ['Potential (Depending '
'on Connected '
'Services)'],
'sensitivity_of_data': ['High (Authorized Access to Connected '
'Services)'],
'type_of_data_compromised': ['Email Data',
'Calendar Data',
'Connector Service Data']},
'description': 'Cybersecurity researchers disclosed a new attack called '
"CometJacking targeting Perplexity's agentic AI browser Comet. "
'The attack embeds malicious prompts within a seemingly '
'innocuous link to siphon sensitive data from connected '
'services like email and calendar. The attack hijacks the AI '
'assistant embedded in the browser to steal data while '
"bypassing Perplexity's data protections using trivial "
'Base64-encoding tricks. It does not involve credential theft, '
'as the browser already has authorized access to services like '
'Gmail and Calendar. The attack activates when a victim clicks '
"a specially crafted URL, which instructs the Comet browser's "
'AI to execute a hidden prompt that captures and exfiltrates '
'user data to an attacker-controlled endpoint.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in AI '
'Tools'],
'data_compromised': ['Email Data',
'Calendar Data',
'Connected Service Data'],
'systems_affected': ['Perplexity Comet AI Browser']},
'initial_access_broker': {'entry_point': ['Malicious URL (Phishing Email or '
'Web Page)'],
'high_value_targets': ['Connected Services (Gmail, '
'Calendar, etc.)']},
'investigation_status': 'Disclosed by Third-Party Researchers (LayerX); '
"Perplexity Classified as 'No Security Impact'",
'lessons_learned': ['AI-native browsers introduce new security risks that '
'bypass traditional defenses.',
'Trivial obfuscation (e.g., Base64) can circumvent data '
'exfiltration checks in AI tools.',
'Malicious prompts in URLs can weaponize AI agents with '
'existing authorized access.',
'Security-by-design is critical for AI agent prompts and '
'memory access, not just page content.'],
'motivation': ['Data Theft',
'Unauthorized Data Access',
'Exploitation of AI Tools'],
'post_incident_analysis': {'root_causes': ['Lack of prompt validation in AI '
'agent memory access.',
'Insufficient safeguards against '
'URL parameter manipulation (e.g., '
"'collection').",
'Over-reliance on traditional '
'defenses for AI-native tools.']},
'recommendations': ['Implement controls to detect and neutralize malicious '
'agent prompts in AI browsers.',
'Evaluate and harden AI tool integrations with connected '
'services (e.g., Gmail, Calendar).',
'Monitor for weaponized URLs targeting AI-native tools in '
'phishing campaigns.',
'Adopt security-by-design principles for AI memory access '
'and prompt execution.'],
'references': [{'source': 'The Hacker News'},
{'source': 'LayerX Research (Michelle Levy, Head of Security '
'Research)'},
{'source': 'Guardio Labs (Scamlexity Attack Technique, August '
'2020)'}],
'response': {'communication_strategy': ['Public Disclosure via The Hacker '
'News',
'Statements by LayerX Researchers'],
'enhanced_monitoring': ['Urgent Evaluation of Controls for '
'Malicious Agent Prompts (Recommended)'],
'third_party_assistance': ['LayerX (Research Disclosure)',
'Guardio Labs (Prior Research '
'Reference)']},
'title': "CometJacking Attack Targeting Perplexity's AI Browser Comet",
'type': ['Prompt Injection', 'Data Exfiltration', 'AI Hijacking'],
'vulnerability_exploited': ['AI Agent Memory Access',
'Base64 Obfuscation Bypass',
'URL Parameter Manipulation (collection)']}