Cybersecurity researchers have revealed a new attack method named CometJacking that targets the Perplexity AI browser, Comet. This attack involves embedding malicious prompts within seemingly harmless links to steal sensitive information, such as data from connected services like email and calendars.
The attack operates through a simple mechanism: when a victim clicks on a specially crafted URL—often disguised in a phishing email—the Comet browser’s AI is manipulated to execute a hidden prompt. This prompt captures user data from services like Gmail, encodes it using Base64, and sends it to an endpoint controlled by the attacker.
Michelle Levy, the Head of Security Research at LayerX, described CometJacking as a significant threat, stating that it turns a seemingly trustworthy AI browser into an insider threat. She emphasized that the attack does not involve stealing credentials since the browser already has authorized access to sensitive services. Instead, it relies on the browser’s internal permissions to exfiltrate data.
The attack consists of five steps, beginning when a victim clicks on the crafted URL. Instead of navigating to the intended website, the browser’s AI is directed to consult its stored memory, capturing user data and bypassing typical data protection measures.
Although Perplexity has downplayed the security implications of these findings, it underscores the security vulnerabilities that come with AI-natives tools, which can easily bypass conventional defenses. Or Eshed, CEO of LayerX, highlighted the urgent need for organizations to evaluate and enhance their security protocols against such emerging threats, which can turn trusted AI browsers into vectors for data breaches.
This method follows previous tactics, such as Scamlexity, where AI browsers have been deceived into interacting with malicious sites, indicating that AI browsers present a new front in cybersecurity challenges.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.