🎯 Beyond a Bug: When Browsers Become Agents
Late August 2025 delivered a wake-up call: agentic browsers don’t just read the web—they can act on it. Researchers showed that Perplexity’s Comet browser could be manipulated by indirect prompt injection: hidden instructions inside a page that the AI treats as commands. That breaks long-held web-security assumptions. 
⸻
🕵️ What Happened • The trigger: When users asked Comet to “Summarize this webpage,” parts of the page were sent to the LLM without separating untrusted content from user intent. Malicious instructions embedded in the page could then influence the agent’s plan.  • The impact surface: Researchers demonstrated data exposure risks (emails, passwords, other sensitive info from open tabs/contexts) and action abuse in workflows.   • In practice: Guardio showed Comet could be tricked into adding items to a cart and proceeding with a purchase on a fake shop, and into assisting phishing flows.  
This is classic indirect prompt injection (OWASP LLM01): hostile instructions hidden in content that the AI consumes during a task. 
⸻
⏰ When It Unfolded • Aug 20, 2025: Brave publishes an analysis describing how Comet’s summarization path processes page content in a way that enables indirect prompt injection. Guardio publishes attacker-style evaluations showing purchase/phishing scenarios.   • Aug 20–26, 2025: Widespread coverage details data exposure and auto-action risks.   • Status notes: Reporting indicates fixes were applied (some claiming patches dated Aug 13), but indirect prompt injection is a class of issues, not a single bug—so residual risk remains unless architectures change. 
⸻
👤 Who Was Involved • Researchers: Brave (agentic browsing security series) and Guardio (scenario testing).   • Vendor: Perplexity (Comet browser). • Potential victims: Users who relied on Comet to act (send, post, buy, fill forms) based on page context during the window of exposure—and anyone using similar agentic workflows without proper guardrails. 
⸻
🤖 Why This Counts as an AI Cyber Attack
This isn’t “just a bug.” It’s AI-assisted exploitation of capability: • Content → Capability jump: Untrusted text is treated like policy/commands, steering tools.  • Breaks web assumptions: SOP/CORS don’t protect the LLM+tools layer where actions happen.  • Real-world abuse paths: Phishing assistance, checkout flows, credential handling. 
OWASP classifies this as LLM01: Prompt Injection—especially dangerous when models can call tools. 
⸻
🔎 How to Check If You’re Affected 1. Review activity: Check recent purchase histories, email outbox/drafts, and autofill-driven submissions that occurred while using Comet. Look for actions you didn’t intend.  2. Session hygiene: In accounts you used alongside Comet, sign out of all sessions and re-authenticate. 3. Credentials: Rotate passwords and ensure 2FA is enabled on critical services (email, banking, cloud dev tools). 4. Browser/Agent settings: Disable any auto-action modes (e.g., one-click buys, auto-form submit) until you have clear vendor guidance on architectural mitigations—not just prompt filters. 
⸻
🛡️ Mitigate & Harden Now • Treat external text as data, not policy. Ensure your agent/browser (or enterprise proxy) enforces taint boundaries—no direct elevation from content to commands. (Think: TACP in an Agent Compliance Protocol.)  • Gate risky tools with “step-up.” Payments, messaging, secrets should require human preview + re-auth. (SHRA.) Findings show this class of control would have blocked many demos.  • Limit capabilities by default. Use least-privilege tool scopes (separate read vs. write; deny wildcards) so even a tricked planner can’t execute harmful actions. (LPTS.) • Outbound allowlisting & redaction. Route egress via a policy proxy to block unknown POSTs and scrub sensitive data. (EDLC.) • Ephemeral memory + audit. Sandbox task memory and keep append-only logs for forensics. (MCSI + ACA.) • For users/teams today: Prefer non-agentic browsing for sensitive workflows; pin vetted versions; review vendor guidance before re-enabling automation. Coverage emphasizes the risks of full browser automation. 
⸻
📚 Further Reading • Brave: Indirect Prompt Injection in Perplexity Comet (technical write-up).  • Guardio: “Scamlexity”—buying from fake shops, phishing workflows.  • BleepingComputer: Comet tricked into buying fake items online.  • Malwarebytes: Prompt-injection warning for AI browsers.  • The Register: Fix status and residual risk context.  • OWASP GenAI: LLM01 Prompt Injection. 
⸻
The takeaway: Agentic browsing collapses the gap between seeing and doing. Unless we enforce content/capability separation and human checkpoints for risky actions, prompt injection becomes action injection. Harden now—before the next “summarize this page” turns into “buy this item”.