A recently identified vulnerability in Perplexity’s Comet AI browser has raised significant security concerns. This flaw allows attackers to inject malicious prompts through seemingly harmless screenshots, potentially compromising user data and system integrity. The issue was disclosed on October 21, 2025, highlighting the ongoing risks associated with emerging AI-powered browsing technologies.
Understanding the Vulnerability
Comet’s screenshot feature is designed to enable users to query images from websites by capturing and analyzing screenshots. However, this functionality can be exploited by embedding nearly invisible malicious instructions within web content. For instance, attackers can insert faint light blue text on a yellow background within images, which remains undetectable to the human eye but can be extracted by the browser’s text recognition system, likely through optical character recognition (OCR). These hidden commands are then fed directly into the large language model (LLM) without proper sanitization.
Mechanism of the Attack
When a user takes a screenshot of a compromised page, the concealed instructions are processed as part of the legitimate query. This manipulation can deceive the AI into executing harmful actions, such as navigating to phishing sites or extracting sensitive data from authenticated accounts. For example, if a user is logged into their bank or email account, a simple screenshot could authorize unauthorized transfers or data theft, as the AI operates with the user’s privileges.
Research and Disclosure
Brave’s Senior Mobile Security Engineer, Artem Chaikin, and VP of Privacy and Security, Shivan Kaul Sahib, detailed this exploit in their latest report. This disclosure is part of Brave’s ongoing series on security challenges in agentic browsing, following a prior revelation of a similar issue in Comet. The researchers emphasize that such vulnerabilities are not isolated incidents but represent a broader systemic problem across AI browsers.
Demonstration and Implications
Brave demonstrated the exploit in a controlled environment, showcasing how hidden prompts can override user intent. The researchers noted, AI browsers that take actions on your behalf are powerful yet extremely risky, referencing a Malwarebytes report on how even summarizing a Reddit post could lead to financial loss. This vulnerability echoes issues in other browsers, like Fellou, where navigating to a malicious site sends page content to the LLM, allowing visible instructions to manipulate queries.
Broader Security Concerns
The implications of this vulnerability are significant because traditional web protections, such as the same-origin policy, are ineffective in this context. Untrusted content can influence the AI’s decisions, potentially leading to cross-domain exploits affecting banks, healthcare portals, or cloud storage services. Attackers could target everyday scenarios, such as browsing social media or forums, to trigger these exploits.
Responsible Disclosure and Recommendations
Brave responsibly reported the Comet issue to Perplexity on October 1, 2025, with public disclosure following on October 21 after the initial response. The company urges isolating agentic features from regular browsing and requiring explicit user confirmation for sensitive actions. As agentic browsers gain traction, experts call for industry-wide safeguards. Brave is exploring solutions through its research team and plans to roll out secure AI features for its 100 million users. Until then, users should approach these tools cautiously, especially with logged-in sessions.
