Perplexity Comet Flaw Uncovered Person Information to Attackers, Courageous Stories – Decrypt

Courageous Software program has uncovered a safety flaw in Perplexity AI’s Comet browser that confirmed how attackers may trick its AI assistant into leaking non-public person knowledge.

In a proof-of-concept demo printed August 20, Courageous researchers recognized hidden directions inside a Reddit remark. When Comet’s AI assistant was requested to summarize the web page, it didn’t simply summarize—it adopted the hidden instructions.

Perplexity disputed the severity of the discovering. A spokesperson advised Decrypt the difficulty “was patched earlier than anybody observed” and mentioned no person knowledge was compromised. “We now have a reasonably sturdy bounty program,” the spokesperson added. “We labored immediately with Courageous to determine and restore it.”

Courageous, which is growing its personal agentic browser, maintained that the flaw remained exploitable weeks after the patch and argued Comet’s design leaves it open to additional assaults.

Courageous mentioned the vulnerability comes all the way down to how agentic browsers like Comet course of net content material. “When customers ask it to summarize a web page, Comet feeds a part of that web page on to its language mannequin with out distinguishing between the person’s directions and untrusted content material,” the report defined. “This enables attackers to embed hidden instructions that the AI will execute as in the event that they had been from the person.”

Immediate injection: previous concept, new goal

Such a exploit is named a immediate injection assault. As a substitute of tricking an individual, it methods an AI system by hiding directions in plain textual content.

“It’s just like conventional injection assaults—SQL injection, LDAP injection, command injection,” Matthew Mullins, lead hacker at Reveal Safety, advised Decrypt. “The idea isn’t new, however the technique is completely different. You’re exploiting pure language as a substitute of structured code.”

Safety researchers have been warning for months that immediate injection may change into a serious headache as AI programs achieve extra autonomy. In Could, Princeton researchers confirmed how crypto AI brokers might be manipulated with “reminiscence injection” assaults, the place malicious info will get saved in an AI’s reminiscence and later acted on as if it had been actual.

Even Simon Willison, the developer credited with coining the time period immediate injection, mentioned the issue goes far past Comet. “The Courageous safety staff reported severe immediate injection vulnerabilities in it, however Courageous themselves are growing an analogous function that appears doomed to have comparable issues,” he posted on X.

Shivan Sahib, Courageous’s vice chairman of privateness and safety, mentioned its upcoming browser would come with “a set of mitigations that assist cut back the chance of oblique immediate injections.”

“We’re planning on isolating agentic searching into its personal storage space and searching session, so {that a} person doesn’t by chance find yourself granting entry to their banking and different delicate knowledge to the agent,” he advised Decrypt. “We’ll be sharing extra particulars quickly.”

The larger danger

The Comet demo highlights a broader downside: AI brokers are being deployed with highly effective permissions however weak safety controls. As a result of massive language fashions can misread directions—or observe them too actually—they’re particularly susceptible to hidden prompts.

“These fashions can hallucinate,” Mullins warned. “They’ll go utterly off the rails, like asking, ‘What’s your favourite taste of Twizzler?’ and getting directions for making a selfmade firearm.”

With AI brokers being given direct entry to e-mail, information, and stay person periods, the stakes are excessive. “Everybody needs to slap AI into the whole lot,” Mullins mentioned. “However nobody’s testing what permissions the mannequin has, or what occurs when it leaks.”