Full Report
Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity's agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar. The sneaky prompt injection attack plays out in the form of a malicious link that, when clicked, triggers the
Analysis Summary
# Vulnerability: CometJacking leading to Data Exfiltration via Malicious URL in Comet AI Browser
## CVE Details
- CVE ID: Not specified in the source material.
- CVSS Score: Not specified in the source material.
- CWE: CWE-77: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (Related concept applied to an AI agent instruction set).
## Affected Systems
- Products: Perplexity's Comet AI Browser.
- Versions: Not specified, but the vulnerability is tied to the agentic features allowing prompt execution via URL parameters.
- Configurations: Any configuration where the Comet AI browser has existing, authorized access (e.g., via connected services like Gmail or Calendar) to user data.
## Vulnerability Description
CometJacking is a prompt injection attack executed via a specially crafted malicious URL. When a victim clicks this URL, it doesn't navigate to a standard destination but instead triggers the embedded AI agent (Comet) to execute a hidden prompt defined within the URL's query string parameter (specifically the `collection` parameter). This instruction forces the agent to consult its *memory* (where authorized credentials/session data reside) instead of performing a normal web search. The agent then captures sensitive data (e.g., emails, calendar entries) from connected services, obfuscates this data using Base64 encoding, and transmits it to an attacker-controlled endpoint. The attack bypasses existing data exfiltration checks because it leverages the browser's already authorized access/session context.
## Exploitation
- Status: Proof-of-Concept (PoC) demonstrated by researchers; context suggests this is a newly disclosed technique, not necessarily widespread in the wild yet.
- Complexity: Low (Relies only on a single click of a crafted URL).
- Attack Vector: Network (Requires delivering the malicious link via phishing or embedding on a webpage).
## Impact
- Confidentiality: High (Direct exfiltration of sensitive, authorized data such as emails and calendar information).
- Integrity: Low to Medium (Data is read and transferred, but alteration is not the primary goal).
- Availability: Negligible (Not intended to disrupt service availability).
## Remediation
### Patches
- The article states that Perplexity classified the findings as having "no security impact." Specific patch details were not provided, implying the vendor either disagreed with the classification or had not released a fix at the time of reporting. *Action required: Monitor Perplexity advisories for official fixes.*
### Workarounds
- Users should be extremely cautious about clicking links, especially those received via untrusted sources or those that appear to direct to the Comet browser environment.
- Organizations should implement controls to detect and neutralize malicious agent prompts, particularly those leveraging URL query strings to interact with internal agent memory or connected service APIs.
## Detection
- Indicators of compromise: Network connections originating from the Comet browser agent process attempting to communicate with external, unlisted C2 endpoints, potentially carrying Base64 encoded payloads.
- Detection methods and tools: Endpoint Detection and Response (EDR) or network monitoring tools capable of inspecting session data use or non-standard communication patterns initiated by the Comet browser process. Focus on inspecting URL query parameters that invoke internal agent/memory collection functions.
## References
- Vendor Advisories: Initial reporting from LayerX Security research.
- Relevant links:
- LayerX Blog (Source of research): hxxps://layerxsecurity.com/blog/cometjacking-how-one-click-can-turn-perplexitys-comet-ai-browser-against-you/
- The Hacker News coverage: hxxps://thehackernews.com/2025/10/cometjacking-one-click-can-turn-perplexitys-comet-ai-browser-into-data-thief.html