Researchers have discovered a critical security vulnerability in Perplexity’s Comet AI browser that allows attackers to inject malicious commands through hidden text in screenshots.
The vulnerability, disclosed on October 21, 2025, demonstrates how AI-powered browsers can become dangerous gateways for attackers to access users’ sensitive accounts like banking and email services.
How Attackers Hide Dangerous Instructions in Images
The attack works by embedding nearly invisible instructions within web content using a technique called steganography.
Security researchers at Brave created a proof-of-concept attack using faint light blue text on a yellow background, making the malicious commands invisible to the human eye.
When a user takes a screenshot of a webpage containing these hidden instructions, Perplexity’s Comet browser uses optical character recognition (OCR) to extract all text, including the camouflaged malicious commands and feeds them directly to the AI system without filtering or validation.
This means when users capture a screenshot to ask Comet questions about a webpage, they’re unknowingly handing attackers a direct line to the AI assistant’s powerful browser controls.
The AI treats these hidden instructions as legitimate commands rather than untrusted webpage content, allowing attackers to manipulate the browser into performing unauthorized actions.
The implications are severe for anyone who keeps important accounts logged in during browsing.
If an attacker successfully injects a prompt into Comet, the AI could access your bank account, steal emails, compromise corporate systems, or exfiltrate data from cloud storage all because you took a screenshot of a compromised webpage.
The vulnerability completely bypasses traditional web security protections like the same-origin policy, which normally prevents websites from accessing each other’s data.
Security researcher Artem Chaikin and Shivan Kaul Sahib from Brave emphasized that this isn’t an isolated problem.
Their research uncovered similar vulnerabilities in other agentic browsers, including Fellou, where simply asking the AI to navigate to a malicious website allows attackers to inject commands through visible webpage content.
Brave researchers responsibly reported the Comet vulnerability to Perplexity on October 1, 2025, giving the company time to address the issue before public disclosure.
The research reveals a fundamental design flaw in how AI browsers handle the boundary between user commands and untrusted web content when executing actions on users’ behalf.
Until agentic browsers implement proper safety barriers between content and commands, security experts recommend treating these tools as inherently risky.
Ideal safeguards would isolate AI browsing features from regular browsing and only activate them when users explicitly request them.
For now, users should avoid keeping sensitive accounts logged in while using agentic browser features, or avoid these tools entirely until stronger protections are implemented.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
