Cybersecurity researchers revealed details of a new attack called cometjacking Target Perplexity’s Agent AI Browser Comet and embed malicious prompts within seemingly harmless links to Siphon-sensitive data from connected services such as emails and calendars.
A sleazy prompt injection attack unfolds in the form of a malicious link that, when clicked, causes unexpected behavior unknown to the victim.
https://www.youtube.com/watch?v=n8vlom-musc
“CometJacking shows that a single weaponized URL can quietly flip an AI browser from a trusted co-pilot to an insider threat,” said Michelle Levy, Head of Security Research., in a statement shared with Hacker News.
“This isn’t just data stealing, it’s about hijacking agents who already have keys. Our research proves that trivial obfuscation can bypass data delamination checks and turn off email, calendar and connector data offbox with just one click.
In short, this attack hijacks AI assistants embedded in your browser to steal data. The attack does not include the qualification theft component, as the browser already allows access to Gmail, calendars, and other connection services.
It takes place in five steps, when the victim clicks on a specially created URL, it is sent via phishing email or active when it is present on a web page. Instead of taking the user to the “intended” destination, the URL tells the AI in the Comet browser to perform a hidden prompt to capture the user’s data, for example from Gmail, obfuscate it using Base64 encoding, and sends the information to an endpoint under the attacker’s control.
The URL created is a query string directed to the Comet AI browser, with malicious instructions added using the URL’s “collection” parameter, which refers to memory rather than the agent performing a live web search.
Confusion classifies the findings as “no security impact,” but once again highlights how AI-Native tools can circumvent traditional defenses and introduce new security risks that can be used by bad actors to order bids, and expose users and organizations to potential data theft in the process.
In August 2020, Guardio Labs unveiled an attack technique called molting, where browsers like comet can be fooled by threat actors as interacting with phishing landing pages and counterfeit e-commerce storefronts without the knowledge or intervention of human users.
“The AI browser is the next Enterprise Battleground,” said Eshed, CEO of Layerx. “If an attacker can direct an assistant through a link, the browser becomes a command-and-control point within the company’s boundaries. Organizations need to urgently evaluate the controls that detect and neutralize malicious agent prompts before these POCs become broad campaigns.”
