Danger! A major vulnerability in an AI browser has been exposed. User email verification codes are all scraped, and account theft only takes 150 seconds.

Has this well - known AI browser become a "privacy thief" hidden in users' devices?

According to a report by Zhidongxi on August 26, recently, the US browser company Brave published a blog post stating that it had discovered a serious security vulnerability in Comet, an AI browser developed by Perplexity, a well - known AI search unicorn in the US. Attackers can manipulate the AI browser to log in to websites, access email accounts, and obtain verification codes by posting malicious instructions on web pages, and then send this sensitive information to external attackers. The entire attack process takes only two and a half minutes, and even an ordinary person can carry out such an attack.

▲ Screenshot of part of the blog post (Source: Brave)

Comet is essentially an Agent that can perform browser operations on behalf of users. In an experiment, Brave's research team posted a message containing malicious instructions on Reddit, a US forum platform, and asked Comet to summarize the post. When it reads the malicious instructions, Comet will execute them exactly as they are, posing a huge risk to users' information security.

Once this case was published, it sparked intense discussions on social media and various forums. Some netizens believe that the above - mentioned operations mean that malicious attackers may almost be able to launch attacks by "casting a wide net" with prompt words. When users ask the AI to summarize information, attackers can directly invade users' bank accounts, causing great risks.

A senior model security engineer working at Google also joined the discussion, saying that such attacks "are not sophisticated" and are the types of attacks that should be guarded against in the first lesson of large - model security. It seems that Perplexity didn't even consider this security issue, let alone send someone to solve it.

▲ A Google senior model security engineer criticizes Comet's security vulnerability (Source: Hacker News)

Perplexity's attitude towards this incident has also drawn criticism. Some netizens believe that Perplexity's CEO spent the entire month after the problem emerged talking about updates to their application on Twitter, showing no sign of taking this matter seriously. Today, Perplexity also launched a Comet Plus news subscription service.

Currently, Perplexity and Comet have downplayed this incident on social media and have not posted any responses. Brave said that they have reported the problem to Perplexity, but Perplexity has taken nearly a month and still hasn't fully fixed the problem.

▲ Brave's timeline of disclosing the problem to Perplexity (Source: Brave)

So, how exactly is this type of attack carried out, and what measures should AI browsers and AI Agent products take to protect users' privacy?

01. Attack by posting a message, the whole account - stealing process takes two and a half minutes

The principle of attacking the Comet browser is extremely simple. Attackers can hide instructions in white text on a white background, HTML comments, or other invisible elements, or directly inject malicious prompt words into user - generated content on social media platforms, such as Reddit comments or Facebook posts.

Similar methods have been widely used to manipulate search engine results for SEO (Search Engine Optimization). For example, some companies would implant a large number of popular search keywords in the blank areas of their websites to improve their websites' rankings in search results.

The browser can read malicious instructions that are invisible to users. Since it cannot distinguish between the content to be summarized and the instructions it should not follow, it treats all content as user requests. The injected commands instruct the browser to maliciously invoke tools, such as navigating to the user's bank website, extracting saved passwords, or leaking sensitive information to a server controlled by the attacker.

To illustrate the severity of this vulnerability in Comet, Brave created a proof - of - concept demonstration. In the demonstration, a comment in a post visited by the user was hidden by a "spoiler tag", making its content invisible to the user. When the user clicks the "Summarize the current web page" button on Comet, the Comet assistant will see and process these hidden instructions.

▲ Malicious post published in Brave's experiment (Source: Brave)

These malicious instructions direct Comet to obtain the user's email address, log in using the email address, select the verification code login option, and have Perplexity's official send a one - time verification code. The malicious instructions also teach the browser to circumvent existing authentication and navigate to the user's logged - in Gmail account according to the instructions to obtain the verification code.

▲ Part of the operations performed by Comet, the video is speeded up by five times (Source: Brave)

Since the Comet browser hides some operations in the background, users won't directly see the page operations the browser is performing on their devices, only a text summary. Users need to actively click a button to view the various web pages the browser has opened in the background.

Comet automatically sends the verification code and email to the Reddit comment section, completing the attack. The whole process takes two and a half minutes. Immediately afterwards, attackers can log in to the user's Perplexity account using the email and verification code combination.

▲ Comet sends the user's email and verification code to the Reddit comment section (Source: Brave)

02. Traditional protection measures completely fail, Agent products form a "lethal trio"

Brave said that this type of attack poses a major challenge to existing network security mechanisms. When Agent products such as AI browsers execute malicious instructions from untrusted web content, traditional protection measures (such as the same - origin policy and cross - origin resource sharing) will completely fail.

The browser in this case has all the user's permissions and operates in a logged - in state. Attackers may use this to gain access to sensitive services such as bank accounts, corporate systems, private emails, and cloud storage.

Different from traditional network vulnerabilities that usually target a single website or require complex exploitation processes, this type of attack can achieve access to other websites by simply implanting natural - language instructions on web pages. Its impact can cover the entire browser session.

This vulnerability is closely related to the design concept of the AI browser itself. Aravind Srinivas, the founder and CEO of Perplexity, revealed in an interview this year that the intelligent agent in Comet is "authorized by the user to act on their behalf" and can simulate the way humans use websites. This is to avoid relying on third - party MCPs and enable the browser to interact with the Internet more independently.

However, Brave's research shows that while this design enhances the operational capabilities of the AI browser, it also brings huge risks.

On Hacker News, many IT industry practitioners shared their views on this risk.

Some netizens analyzed that companies such as Google, OpenAI, and Anthropic have not released functions similar to Comet. Instead, they use virtual machines without cookies to browse the web. This shows that these companies have realized the risks of such behavior.

Some other netizens talked about the scope of influence of this risk. Different from past attacks that needed to target websites one by one, the security problem with large models is that once a set of prompt words can crack the model and obtain user privacy, it can basically be replicated on all，users using this model, achieving large - scale attacks.

Previously, many practitioners have paid attention to the risk issues of Agent - type products. Simon Willison, the founder of the Datasette open - source project and the proposer of the concept of "prompt injection" said that the three characteristics of Agent products have formed a "lethal trio".

These three characteristics include:

(1) Permission to access private data, which is also one of the most common purposes of AI tools;

(2) Exposure to untrusted content, such as text (or images) controlled by malicious attackers;

(3) The ability to communicate externally, which can be used to steal data.

▲ The "lethal trio" in Agent (Source: Simon Willison's personal blog)

If an Agent combines these three characteristics, attackers can easily trick it into accessing private data and sending it to them.

Simon Willison further analyzed that the usability of large models today mainly comes from their ability to follow instructions. The problem is that they don't just follow user instructions, but will follow any instructions.

This has become a common vulnerability in AI systems. Simon Willison has collected dozens of similar cases on his blog, affecting objects such as OpenAI's ChatGPT, Google Gemini, Amazon Q, Google NotebookLM, xAI's Grok, Anthropic's Claude iOS application, etc.

Almost all of these problems were quickly fixed by the companies, usually by locking the leakage vectors to prevent malicious instructions from stealing data.

However, Agents that can use tools bring more difficult - to - control risks. The ways in which tools can leak private data are almost infinite, such as making HTTP requests to APIs, loading images, or even providing links for users to click.

In his view, the only way to stay safe is to completely avoid the combination of these three capabilities.

03. How to avoid risks? Brave proposes four methods

However, the above three capabilities have become the core functions of Agent products. For companies that have already launched or are about to launch similar products, is there any way to avoid these risks?

Brave, which is also developing an AI browser, has summarized four methods from this case:

(1) AI browsers should be able to distinguish between user instructions and website content. When sending user instructions as context to the model, the browser should clearly separate user instructions from website content. The content of the page should always be regarded as untrusted.

(2) The model should judge whether the operations to be performed by the browser are consistent with the user's request based on the task and context.

(3) No matter what the previous Agent task plan was, operations involving security and sensitive information should require user confirmation.

(4) The browser should isolate the browsing of the intelligent agent from normal browsing. If the user only needs to summarize a web page, the browser should not have the permission to open an email account, send an email, or read other sensitive data. This separation is particularly important for Agent security.

04. Conclusion: Before entering the real world, Agents need to pass the "security test"

Currently, many domestic and foreign manufacturers have released Agent products that can operate browsers, mobile phones, computers, and other devices. These products can simplify some cumbersome tasks to a certain extent and help users improve efficiency.

However, before finally entering the real world on a large scale, all AI products should go through strict security assessments, "red - team testing" and other processes to avoid foreseeable risks as much as possible.

As the Google security engineer said, the security vulnerability in Perplexity this time is extremely basic and should have been noticed before the product was launched. This case also serves as a warning to other Agent products: while pursuing functional innovation and user experience, security should never be sacrificed.

This article is from the WeChat public account "Zhidongxi" (ID: zhidxcom), author: Chen Junda, published by 36Kr with authorization.