A brand new vulnerability in Perplexity’s Comet AI browser permits attackers to inject malicious prompts by way of seemingly innocuous screenshots.
Disclosed on October 21, 2025, this flaw builds on earlier issues about immediate injection in agentic browsers, AI-powered instruments that act on customers’ behalf.
The invention highlights ongoing dangers in these rising applied sciences, the place hidden directions can hijack person classes and entry delicate information.
Of their newest report, Courageous’s Senior Cellular Safety Engineer Artem Chaikin and VP of Privateness and Safety Shivan Kaul Sahib element how Comet’s screenshot function, designed to let customers question pictures from web sites, will be exploited.
That is the second installment in Courageous’s sequence on safety challenges in agentic searching, following a previous disclosure of the same problem in Comet.
The researchers emphasize that such vulnerabilities should not remoted however symbolize a broader systemic drawback throughout AI browsers.
Hidden Textual content In Screenshots Bypasses Safeguards
The assault exploits Comet’s capacity to research screenshots for person questions. Attackers embed practically invisible malicious directions into internet content material, reminiscent of faint gentle blue textual content on a yellow background inside pictures.
These directions evade human detection however are extracted by the browser’s textual content recognition, possible by way of optical character recognition (OCR), and fed straight into the massive language mannequin (LLM) with out correct sanitization.
As soon as a person takes a screenshot of the contaminated web page, the hidden instructions masquerade as a part of the reliable question.
This methods the AI into executing dangerous actions, like navigating to phishing websites or extracting information from authenticated accounts.
As an illustration, if a person is logged into their financial institution or e-mail, a easy screenshot might authorize transfers or information theft, because the AI operates with the person’s privileges.
Courageous demonstrated the exploit in a managed setup, exhibiting how hidden prompts override person intent.
“AI browsers that take actions in your behalf are highly effective but extraordinarily dangerous,” the researchers word, referencing a Malwarebytes report on how even summarizing a Reddit put up might result in monetary loss.
This screenshot vulnerability echoes points in different browsers, like Fellou, the place navigating to a malicious web site sends web page content material to the LLM, permitting seen directions to govern queries.
Courageous has withheld particulars about an extra browser flaw and plans to reveal extra info quickly. The implications are vital as a result of conventional internet protections, such because the same-origin coverage, are ineffective right here; untrusted content material can affect the AI’s selections.
Attackers might goal on a regular basis situations, searching social media or boards to set off cross-domain exploits affecting banks, healthcare portals, or cloud storage.
Courageous responsibly reported the Comet problem to Perplexity on October 1, 2025, with public disclosure following on October 21 after the preliminary response.
The corporate urges isolating agentic options from common searching and requiring express person affirmation for delicate actions. As agentic browsers achieve traction, specialists name for industry-wide safeguards.
Courageous is exploring options by way of its analysis staff and plans to roll out safe AI options for its 100 million customers. Till then, customers ought to method these instruments cautiously, particularly with logged-in classes.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
