Researchers have recognized a possible safety vulnerability in Perplexity’s new agentic AI browser, Comet, that might enable attackers to maliciously instruct the browser agent by way of oblique immediate injection and acquire entry to delicate person knowledge, together with emails, banking passwords, and different private info.
The vulnerability is rooted in how Comet handles webpage content material when responding to person prompts like ‘summarise this webpage’, safety researchers at Courageous, a privacy-focused search engine and browser firm, mentioned in a weblog put up on August 20.
They claimed that Comet fails to differentiate between person directions and untrusted content material from webpages. This enables attackers to stealthily embed person prompts in webpage content material that the Perplexity browser agent processes and executes as person instructions. “As an example, an attacker might acquire entry to a person’s emails from a ready piece of textual content in a web page in one other tab,” Courageous mentioned in its weblog put up.
The findings come at a time when AI-centric browsers like Comet are gaining traction resulting from a elementary shift in person behaviour when wanting up info on-line. It additionally comes amid the rise of AI brokers able to autonomously performing numerous duties corresponding to shopping the online, making journey bookings, or procuring on behalf of the person.
Comet is claimed to be the first-of-its-kind internet browser because it locations an AI agent on the centre of a person’s search expertise. Nonetheless, such browsers have raised safety and privateness considerations as they require deep entry to delicate knowledge from logged-in periods. In Comet’s case, the AI agent is barely in a position to pull info and context immediately from platforms the place the person is already logged in.
Vulnerabilities in AI browsers additionally differ from conventional internet exploits as they may enable the AI agent to be simply tricked into pulling delicate knowledge throughout domains. Based on Courageous, Perplexity has acknowledged the safety flaw in Comet and carried out a repair. Nonetheless, the researchers mentioned that the problem continues to persist upon additional testing of the Comet browser.
The Indian Categorical has reached out to Perplexity for remark. This report can be up to date with its response if acquired.
Story continues under this advert
Courageous’s testing of Comet
Whereas Courageous didn’t cite any real-world instances of the vulnerability being exploited, it recommended that an attacker might cover malicious directions for the AI agent between internet content material. These directions would seem as textual content on white backgrounds, HTML feedback, or different invisible components. They is also embedded in Reddit feedback or Fb posts.
When a person submits a immediate corresponding to “summarise this web page”, Comet’s AI browser assistant would crawl the webpage content material and course of it to extract the important thing factors from the web page. Nonetheless, Courageous claimed that Comet doesn’t distinguish between the content material it ought to summarise and the directions it shouldn’t comply with. This might let attackers cover instructions in internet content material, tricking the AI assistant to go to a person’s banking web site and extract saved passwords.
Equally, a person’s Perplexity account is also taken over by exfiltrating their e mail deal with and OTP (in case of two-factor authentication). The ultimate step might contain instructing the AI assistant to put up these particulars as a reply to a Reddit put up.
To handle the vulnerability, Courageous recommended that Perplexity make adjustments to the Comet browser in order that the AI agent can “clearly separate the person’s directions from the web site’s contents when sending them as context to the mannequin”.
Story continues under this advert
“Based mostly upon the duty and the context, the mannequin comes up with actions for the browser to take; these actions ought to be checked for alignment in opposition to the person’s requests,” the corporate mentioned. “Regardless of the prior agent plan and duties, the mannequin ought to require specific person interplay for safety and privacy-sensitive duties.”