On October 21, internet company Brave disclosed significant new vulnerabilities in Perplexity’s AI-powered web browser Comet that expose users to “prompt injection” attacks via images and hidden text.
According to the company’s blog, an attacker can embed faint, nearly invisible instructions inside a website or webpage image, which the agent then misinterprets as legitimate user input when the user takes a screenshot, thereby allowing the attacker to commandeer the browser’s large language model (LLM) tools.
Brave’s research team found that when Comet processes a user-initiated screenshot containing camouflaged text (for example, faint light-blue text on a yellow background), the optical-character-recognition (OCR) path extracts the embedded instructions and passes them to the LLM as if they were part of the user’s query.
In effect, the browser’s agent can be tricked into acting on behalf of an attacker rather than simply summarising or answering a legitimate user request, a novel twist on previously recorded prompt-injection techniques.
Moreover, the research highlights that this issue is not confined to Comet alone. The blog describes this particular vulnerability as “systemic” across agentic AI browsers that act on behalf of users and maintain authenticated sessions.
Elsewhere, Brave identified vulnerabilities in another AI browser named Fellou. For context, the researchers found that attackers can embed commands directly within a website’s visible text, which the AI browser then forwards to its LLM.
When this happens, the AI browser sends both the user’s query and the entire page content to the AI model, effectively allowing the malicious page to override user intent and hijack the assistant’s behaviour.
The Risks Of Prompt Injection
Attackers can use prompt-injection in AI browsers to obtain and exfiltrate sensitive data that the browser can access during normal use. Brave’s research shows that when an agent ingests untrusted page content, an embedded instruction can cause the model to read data available in the user’s authenticated sessions, including emails, cloud storage, and other account content, and return it to an attacker.
In practice, the researchers also showed attackers can instruct the agent to locate short-lived secrets such as one-time passwords (OTPs) and session tokens embedded in page content, then extract and forward them: a capability that effectively bypasses standard browser protections like same-origin policy (SOP) or Cross Origin Resource Sharing (CORS), which control what the browser can access from a webpage when the agent acts with the user’s full privileges.
Furthermore, prompt injections can facilitate fraudulent actions: the agent may be induced to autofill billing details, complete purchases on fake sites, or follow phishing workflows that lead to credential theft and financial loss. For context, LayerX’s comparative testing…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
