AI Browsers Vulnerable to Hidden Prompt Injection Attacks

💡 TL;DR - The 30 Seconds Version

🚨 Brave found Perplexity's Comet AI browser executes hidden malicious instructions from web pages, granting attackers access to users' logged-in email and banking accounts.

📊 Palo Alto Networks sold over 3 million secure browser licenses in one quarter as enterprises recognize AI agents make traditional browsing unsafe.

🔍 The attack works because AI browsers treat user commands and webpage content as identical text streams, unable to distinguish trusted from untrusted instructions.

🌐 Traditional web security protections like same-origin policy fail completely since AI agents operate with full user privileges across all logged-in sites.

🏢 Chrome, Edge, and Opera are all racing to add similar AI agent capabilities despite no proven solution to the underlying security problem.

🔒 Current fixes require architectural changes to AI systems, not just patches, as the vulnerability affects the entire category of agentic browsers.

A proof-of-concept shows an AI browser can exfiltrate email codes and bypass long-standing web defenses; enterprises rush to lock down the browser itself.

Brave’s security team says Perplexity’s agentic browser, Comet, executed malicious instructions hidden inside ordinary web pages—handing attackers access to users’ logged-in accounts across email and other services. The company detailed the flaw and its tests in Brave’s vulnerability write-up on Comet, later adding that fixes were incomplete after retesting.

How Comet got tricked

The core mistake was simple and consequential. When a user clicked “Summarize this page,” Comet sent both the user’s request and the page’s contents to its model as one undifferentiated stream.
Brave hid attack instructions in a Reddit comment and watched the agent follow them—visiting Perplexity’s account page to harvest the user’s email, triggering account recovery on a look-alike domain with a trailing dot, then opening the user’s logged-in Gmail to pull the one-time passcode. No extra clicks required.

Why the web’s safety rails failed

Same-origin policy and CORS assume a human sits in the loop, making intent explicit and keeping sites in their lanes. An agentic browser collapses that boundary.
With the user’s session cookies, the AI operates everywhere the human is signed in, treating language on a page—trusted or not—as authoritative instruction. That’s the threat.

The pattern isn’t isolated

Guardio Labs’ “Scamlexity” tests showed the same failure mode: Comet bought an Apple Watch on a fake “Walmart” site and auto-filled saved address and card details, and it marched through phishing emails to bogus bank logins. Sometimes it paused. Sometimes it didn’t.
Their “PromptFix” twist hid instructions inside a fake CAPTCHA, nudging agents to click invisible buttons and download payloads. Old scams, new fuel.

Follow the money: secure browsers boom

Enterprises are already voting with budgets. On its latest earnings call, Palo Alto Networks said it sold more than three million Prisma Access Browser licenses in the quarter and doubled cumulative seats to over six million, calling enterprise browsers the “new operating system” for AI-era work.
That positioning now looks prescient. If agents live in the browser, the browser becomes the control plane. Full stop.

A hard problem, not a patch

Brave proposes a mitigation: separate the user’s instructions from page content and always treat the page as untrusted. Sensible in principle.
In practice, today’s LLMs read concatenated tokens; distinguishing “trusted instruction” from “untrusted content” inside the same context remains an unsolved research problem. Security researchers have said as much for years. The architecture fights you.

Conflict and context

Brave is hardly a disinterested observer—it’s building its own agent, Leo. That matters.
But disclosure timelines, public demos, and independent replications suggest the Comet issue is real and emblematic of the category. Rivals can both compete and be correct.

What vendors are trying now

Browser makers are testing guardrails that require explicit user confirmation before sensitive actions (sending email, initiating purchases), permissioning agents separately from everyday tabs, and isolating agentic sessions from normal browsing. Good steps, if uneven.
Security vendors are bolting on reputation checks, phishing heuristics, and file-sanitization that trigger before an agent acts. The goal is to re-insert friction where the agent blithely removed it. Progress will be incremental.

The enterprise calculus

For CIOs, the trade-off is blunt: agentic convenience buys productivity yet expands blast radius. One errant instruction—hidden in a comment, an HTML node, a PDF—can trigger cross-domain actions with the user’s full privileges.
Policy alone won’t save you. Controls must live where the agent executes: the browser.

Why this matters:

Agentic AI collapses decades of web-security assumptions, turning untrusted content into actionable commands; mitigations require architectural changes, not just filters.
As companies adopt AI agents, the secure-browser market becomes a strategic spend, not an add-on—shifting how enterprises budget for, deploy, and govern everyday work on the web.

❓ Frequently Asked Questions

Q: What exactly is an "agentic browser" and how is it different from ChatGPT?

A: Agentic browsers like Comet can actually click buttons, fill forms, and navigate websites autonomously using your logged-in accounts. Unlike ChatGPT which just provides text responses, these browsers perform real actions—booking flights, making purchases, sending emails—without requiring human clicks for each step.

Q: Are Chrome, Edge, and other browsers vulnerable to the same attacks?

A: All browsers adding AI agent capabilities face the same fundamental problem—distinguishing trusted user commands from untrusted webpage content. Chrome's Project Mariner, Microsoft's Copilot in Edge, and Opera's AI features use similar architectures that process text without reliable separation between instruction sources.

Q: How much do enterprise secure browsers cost compared to regular browsers?

A: Palo Alto Networks' Prisma Access Browser sold 3 million licenses in one quarter, but pricing isn't disclosed. Enterprise browser security typically costs $15-50 per user monthly, compared to free consumer browsers. The premium reflects enterprise-grade monitoring, policy controls, and threat protection.

Q: Can individual users protect themselves without buying enterprise solutions?

A: Limited options exist. Users can disable AI browser features, use separate browsers for banking versus AI tasks, or manually review every AI-suggested action. However, these workarounds eliminate the convenience that makes agentic browsers appealing in the first place.

Q: Did Perplexity actually fix the Comet vulnerability that Brave reported?

A: Partially. Perplexity implemented initial patches by July 27, but Brave's retesting revealed continued vulnerabilities. As of August 20, Brave updated their disclosure to confirm the attack still works and re-reported the issue to Perplexity.