Cybersecurity experts have uncovered a new threat called CometJacking, which exploits Perplexity’s agentic AI browser, Comet, by injecting malicious prompts hidden inside seemingly harmless links. This sophisticated attack is capable of extracting sensitive data—including emails and calendar details—from services already connected to the browser.
This technique, known as a prompt injection attack, involves a malicious link designed to trigger the browser’s AI to behave unexpectedly. Unsuspecting users who click these links can unknowingly hand over their information to attackers.
Michelle Levy, Head of Security Research at LayerX, explained:
“CometJacking demonstrates how a single weaponized URL can discreetly turn an AI browser from a reliable co-pilot into an insider threat. This isn’t just simple data theft—attackers hijack the agent that already has privileged access. Our findings show that basic obfuscation tricks, like Base64 encoding, can bypass security checks and exfiltrate data such as emails and calendar information—all with a single click. AI-native browsers must incorporate security by design for agent prompts and memory access, not just traditional web content security.”
Unlike typical credential theft, CometJacking leverages the already authorized access of the browser. When a victim clicks a specially-crafted link (shared in phishing emails or embedded in websites), it activates hidden instructions via the browser’s URL parameters. Instead of directing the user as expected, the link tells Comet’s AI to pull data—such as Gmail contents—obfuscate it, and then transfer it to an endpoint controlled by the attacker.
Perplexity has maintained that these findings pose “no security impact.” However, this research highlights how AI-driven browser tools introduce new vulnerabilities that traditional defenses may miss, putting user and organizational data at risk.
This is not the first AI browser vulnerability report. Back in August 2020, Guardio Labs described another attack called Scamlexity, which allowed threat actors to manipulate AI browsers into interacting with phishing sites and fake storefronts, all without any user action.
Or Eshed, CEO of LayerX, commented:
“AI browsers represent a new frontier for enterprise security. If an attacker can direct your AI assistant with a single link, the browser effectively becomes a command center within the organization. Companies must move quickly to implement controls that identify and block malicious agent prompts before these proof-of-concept attacks evolve into widespread exploits.”
