"This isn't just about stealing data; it's about hijacking the agent that already has the keys. Our research proves that trivial obfuscation can bypass data exfiltration checks and pull email, calendar, and connector data off-box in one click. AI-native browsers need security-by-design for agent prompts and memory access, not just page content."
"The attack, in a nutshell, hijacks the AI assistant embedded in the browser to steal data, all while bypassing Perplexity's data protections using trivial Base64-encoding tricks. The attack does not include any credential theft component because the browser already has authorized access to Gmail, Calendar, and other connected services. It takes place over five steps, activating when a victim clicks on a specially crafted URL, either sent in a phishing email or present in a web page. Instead of taking the user to the "intended" destination, the URL instructs the Comet browser's AI to execute a hidden prompt that captures the user's data from, say, Gmail, obfuscates it using Base64-encoding, and transmits the information to an endpoint under the attacker's control."
CometJacking is a prompt-injection attack that weaponizes a single URL to make Perplexity's Comet AI browser execute hidden prompts and exfiltrate user data. The attack leverages the browser's existing authorized access to Gmail, Calendar, and connectors, so no credential theft is required. The malicious URL uses the "collection" parameter and trivial Base64 encoding to bypass data-exfiltration checks, capture content, obfuscate it, and send it to an attacker-controlled endpoint. The attack activates when a user clicks a crafted link in email or on a webpage. Mitigation requires security-by-design for agent prompts, memory access controls, and stronger URL handling.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]