Brave, the well-known privacy-focused browser, has launched a strong accusation against Comet, the new browser powered by artificial intelligence (AI) from Perplexity. According to Brave, Comet has serious security flaws that could put very sensitive user data at risk.

Security flaws in Comet and how they work

The main vulnerability detected by Brave in Comet lies in how this AI browser processes web page content. When the user asks Comet, for example, to summarize a page, it sends part of that page's content directly to its language model, without clearly distinguishing between the user's instructions and potentially malicious web content.

This allows attackers to hide dangerous instructions on the web page—such as white text on a white background or invisible HTML comments—for the AI ??assistant to execute unwittingly.

This mechanism is known as “indirect command injection” and is particularly concerning because it turns the assistant into an agent that can perform malicious actions without the user's explicit consent. For example, malicious text can instruct the AI ??to navigate to the user's bank account, extract saved passwords, or even access personal emails. These attacks can also arise from user-generated content on social media, such as a Reddit comment with hidden instructions.

In the demonstration of this vulnerability, we showed how a user using Comet to summarize a Reddit comment could unknowingly trigger instructions that cause the browser to log into their Perplexity account, grab their email and a one-time token (OTP), and send this information to the attacker via the comment itself. All of this happens without any additional intervention, simply by processing the page content.

Why this flaw is a serious risk to users

This type of attack breaks through traditional web protections like Same-Origin Policy or Correspondence Resource Sharing Controls (CORS), which typically prevent a website from accessing data on another domain or injecting malicious commands. Instead, AI-powered Comet operates with the user's full privileges, within already authenticated sessions to major services like online banking, email, cloud storage, and private platforms.

The risk is particularly dangerous because it doesn't require the user to click on suspicious links or perform complex actions. It only takes the AI ??to process seemingly harmless content that conceals malicious natural language instructions. This flaw also shows that classic security concepts must evolve to address browsers that act as autonomous agents that interpret and execute commands.

Furthermore, because it is an "indirect" attack, the danger extends across the browser, putting not only an isolated website at risk but all the user's active sessions. Attackers can hide their instructions on any website or in comments, making this threat much broader and harder to control.

Necessary measures to protect users

Brave proposes several strategies to mitigate these risks and strengthen security in AI-powered browsers like Comet. The most important is that the browser must clearly differentiate between user instructions and the content of the web page, always treating the latter as untrusted content. It's critical that any output or action generated by AI be explicitly validated and aligned with the user's actual instructions, avoiding executing hidden commands.

It's also crucial that any sensitive actions related to security and privacy, such as sending emails or accessing confidential data, always require direct user interaction as prior confirmation. This prevents the agent from acting autonomously in critical processes.

Another key point is isolating agentic browsing from normal browsing, so that the user is aware when they are allowing the browser to act automatically and with powerful capabilities. This reduces the risk of accidentally triggering attacks.

Finally, Brave highlights that the software industry must develop new security architectures specifically for these AI-powered browsers that protect privacy and trust from the design stage, without leaving these issues as an afterthought.