New Security Flaws Found in Perplexity Comet Browser

If you've been hyped up about AI browsers that can take you around the web for you, think again. Security researchers have just shared some pretty ominous news about our favorite browser, Perplexity's Comet, and to be honest, it's causing a stir in the tech community.

What's Going On With Comet?

Here's the deal. Several security teams have been poking at Comet's defenses, and what they found isn't great. Research has found that Comet is 85% more susceptible to phishing attacks and web attacks than Chrome. That's not a small difference, and when you're talking about a browser which has access to your personal stuff, these numbers count.

The issues essentially boil down to two categories. First, there's the entire phishing protection point. Second, and this one's a bit more technical, is something called "indirect prompt injection" that's giving us headaches.

The Phishing Problem

Let's begin with the easier problem. Comet was also tested against 100 known phishing websites, and what LayerX security folks discovered was pretty terrifying when they analyzed the results: Both Comet and Genspark only blocked 7% of these malicious pages and 93% of known active phishing sites got through.

To put that in perspective, Edge was even better at 54% and Chrome was only able to stop 47% of the same threats. That's a huge difference. The study found that Comet does not have Google's Safe Browsing protections against known malicious pages built into it, which most other browsers use as a last resort defense.

Image showing comparison between phishing attack warning screen for different browsers

Think of it like this: if the traditional browsers are like a bouncer checking IDs at the door, Comet is basically standing aside and letting everyone just walk in. The few sites it does block? Those are caught because they have obvious technical issues, not because Comet identified them as dangerous.

The "Lethal Trifecta" Attack

Now this is where things get really interesting, and a little frightening. Brave researchers discovered what they're calling a fundamental security flaw in the way Comet handles web pages. When users ask Comet to summarize a webpage, it feeds some of the page directly to its AI without differentiating between the user's instructions and untrusted content from the webpage.

Why does this matter? Because attackers are able to conceal malicious instructions directly in the page itself. These commands could be embedded in white text on white backgrounds, HTML comments, or other non-visible elements. When Comet's AI scans the page, it sees these hidden commands and interprets them as actual requests made by you.

How Bad Can It Get?

Pretty bad, actually. In one demonstration, the researchers were able to demonstrate how an attacker could:

1. Hide malicious code in something as harmless as a Reddit comment
   Wait for someone to visit that page and click on Summarize this page in Comet
   See it automatically follow those hidden instructions with the AI.
2. The contaminated code could tell Comet to go to the user's banking website, retrieve stored passwords or exfiltrate sensitive information to an attacker-controlled server. In one test case, the AI was tricked into intercepting a one-time password from Gmail and sending it to the attacker.
3. The really concerning part? Once the user attempts to summarize content which contains the malicious code, the attack occurs without requiring any additional user action. You press a button, planning on getting a summary, and voila, your credentials are lost.

Why the Old Security Does Not Work Here

How is this different from common browser flaws? When a human-like artificial intelligence assistant executes malicious commands from untrusted webpage content, traditional protections like same-origin policy and cross-origin resource sharing become meaningless.

Think about it. The AI runs with all your privileges. If you're logged into your bank, your email, your social media, the AI can access all of that. It's kind of like handing someone your house keys and your security code, except that someone can be fooled by instructions written on a piece of paper they found on the street.

How Perplexity Is Addressing It

To their credit, Perplexity did not simply overlook these findings. Perplexity confirmed the vulnerability reported by Brave on July 25, 2025, and deployed an initial patch on July 27. However, there's a catch. Further testing indicated that the fix was incomplete, and after public disclosure further testing showed that Perplexity has not fully mitigated against this type of attack.

That's not great, especially because Comet just went free everywhere in the world. In the past, it was limited to subscribers of its $200/month Perplexity Max subscription. These security gaps are worsened now that the computers are open to the public.

What Cyber-Security Professionals Recommend

Researchers have drawn up a number of ways to make AI browsers safer. The key ideas include:

Distinguish Between User Commands and Web Content: The browser must have a different interpretation of your instructions than those on the webpage. Everything from the web is potentially dangerous.

Require Verification for Sensitive Actions: Actions such as sending emails, making purchases, or accessing financial accounts should always require your explicit approval, even if the AI believes that's what you intended.

Separate AI Browsing From Normal Browsing: Powerful agentic capabilities should be separate from normal browsing activities, and this should be intuitive to the user. Don't accidentally end up in an AI mode where you can make the AI do anything for you.

The Bigger Picture

This isn't just about Comet. "The problems we found hint at larger issues for the wider AI browser ecosystem." These tools are also becoming increasingly attractive to attackers as their capabilities grow. The rise of agentic AI browsers - which can autonomously browse websites, carry out transactions, and log in to users' sensitive accounts - has introduced security vulnerabilities like never before.

Similar issues have been experienced with other AI browsers such as Claude's extension but to a smaller extent. The key problem is how to make AI assistants powerful enough to be useful, but keep them under tight enough controls that they can't be fooled into harming us.

Should You Use Comet?

That's your call to make, but you should go in with your eyes open. If you're just using it for some casual browsing and summarizing articles, the risk is probably manageable. But using Comet for anything involving sensitive data such as banking, healthcare portals or work accounts? That's where you have to really be careful.

The research is clear: users of Comet and Genspark browsers are disproportionately exposed to phishing and malicious web pages, up to 85% more so than users of Chrome, Edge and Dia. Those aren't great odds when your personal information is on the line.

What Comes Next

The good news is that these vulnerabilities were discovered by security researchers, not discovered in the wild and doing damage. Perplexity is now aware of these problems and is working on solutions. The rest of the AI browser industry is taking notice as well.

Brave, for instance, is working to build their own AI browsing functionality with these lessons in mind. They're working on what they call "robust defenses" to prevent similar attacks in their Leo assistant. Whether other companies will follow suit remains to be seen.

For now, if you're using Comet, or considering trying it, just know what you're getting yourself into. The technology is cool, there's no question about that. But cool tech that isn't secure is a problem waiting to happen. Keep sensitive tasks to traditional browsers until these AI browsers prove they can protect your data as well as they can summarize your content.

The race to build better AI assistants is an exciting one, but security can't be an afterthought. Let's hope that the industry sorts this out before someone gets really hurt.