Full Report
A study looking into agentic AI browsers has found that these emerging tools are vulnerable to both new and old schemes that could make them interact with malicious pages and prompts. [...]
Analysis Summary
# Incident Report: Compromise of Agentic AI Browser Functionality
## Executive Summary
Security researchers tested Perplexity's Comet agentic AI browser and successfully exploited design weaknesses to induce autonomous malicious actions, including purchasing items from fake e-commerce sites and exposing credentials via phishing links. The incident highlights the immature state of security safeguards in emerging agentic AI tools, demonstrating how a single exploit against the model can be scaled indefinitely against trusting users. Response focused on documenting the vulnerabilities found during researcher testing.
## Incident Details
- Discovery Date: August 20, 2025 (Date of public disclosure of research findings)
- Incident Date: Occurred during researcher testing (specific dates not provided)
- Affected Organization: Perplexity (Comet AI Browser)
- Sector: Artificial Intelligence / Software Development
- Geography: Not specified (Global impact implied)
## Timeline of Events
### Initial Access
- Date/Time: During testing period
- Vector: Phishing links embedded in emails and malicious website manipulation (SEO poisoning/malvertising risk) combined with prompt injection.
- Details:
1. **Fake Purchase Test:** Comet was navigated to a researcher-created fake Walmart site (using Lovable service).
2. **Phishing Test:** Comet followed a link in a fake Wells Fargo email originating from a ProtonMail address to a live phishing page.
3. **Prompt Injection Test:** Hidden instructions within the source code of a fake CAPTCHA page were interpreted as valid commands.
### Lateral Movement
- Not explicitly detailed as a traditional network breach; the "movement" was autonomous execution within the browsing context guided by malicious inputs.
### Data Exfiltration/Impact
- **Fake Purchase:** Comet autonomously navigated checkout, autofilled pre-saved credit card and address data, and completed a purchase of a fake item (Apple Watch).
- **Credential Theft:** Comet loaded the fake Wells Fargo login page and prompted the user (or simulated user action) to enter credentials.
- **Malicious Download:** Comet followed instructions from the prompt injection attack and executed a malicious file download.
### Detection & Response
- **Detection:** Detected by Guardio researchers during proactive security testing of the agentic browser's security posture.
- **Response Actions:** Guardio documented and reported the vulnerabilities found relating to phishing, prompt injection, and autonomous purchasing.
## Attack Methodology
- **Initial Access:** Directing the AI agent via legitimate-looking user interactions (emails, website browsing), leading to interaction with malicious content.
- **Persistence:** Not required, as the attacks were demonstrated as single-session autonomous actions.
- **Privilege Escalation:** Not explicitly required; the agent was exploited using its own authorized browsing/shopping permissions.
- **Defense Evasion:** The AI model treated the malicious inputs (links, hidden code) as genuine instructions, successfully evading typical user-centric security confirmation steps.
- **Credential Access:** Phishing vector targeted credentials via a deceptive login page loaded by the autonomous browser.
- **Discovery:** (By attacker) Not applicable to this test; the researchers knew the targets. (By AI) The agent scanned sites without confirming legitimacy.
- **Lateral Movement:** Autonomous navigation through curated malicious websites.
- **Collection:** Autofilling and submission of saved credit card and address data; user input solicited on phishing pages.
- **Exfiltration:** Data (financial/personal data submission) was ready for exfiltration via the phishing endpoint or authorized submission to the fake merchant.
- **Impact:** Unauthorized financial transaction; potential credential theft; execution of file download command.
## Impact Assessment
- **Financial:** Potential unauthorized charges (demonstrated by the fake Apple Watch purchase).
- **Data Breach:** Potential theft of saved credit card details and physical addresses stored for autofill purposes.
- **Operational:** Minimal to none for the organization being tested (Perplexity), but significant potential operational risk for users assigning sensitive tasks to the AI.
- **Reputational:** Negative exposure for Comet demonstrating a failure to implement adequate security safeguards against known attack types.
## Indicators of Compromise
- **Network indicators:** (Defanged) Interaction with researcher-controlled domains mimicking Walmart and Wells Fargo.
- **File indicators:** Execution of a command to download a file via prompt injection interpretation.
- **Behavioral indicators:** Autonomous navigation to checkout and submission of financial data without confirmation; clicking links embedded in unverified emails; executing instructions hidden in website source code.
## Response Actions
- **Containment:** Researchers paused testing once vulnerabilities were confirmed. (Organizational response TBD based on public disclosure).
- **Eradication:** Not applicable as this was a research finding, not an active adversary breach.
- **Recovery:** Users are advised to refrain from assigning sensitive tasks to the unhardened agentic browser.
## Lessons Learned
- Agentic AI browsers are highly vulnerable to established attack schemes (phishing, prompt injection) repurposed for automated exploitation.
- The scaling potential of successful AI exploits is immense: "scammers don’t need to trick millions of different people; they only need to break one AI model.”
- Current safeguards are inadequate for protecting against autonomous actions involving financial or sensitive data.
## Recommendations
- Users must avoid assigning sensitive tasks (banking, shopping, email access) to agentic AI browsers until security matures.
- Users should manually input credentials, financial details, and personal information rather than relying on agent autofill for critical actions, serving as a necessary human confirmation layer.
- Developers must immediately focus on hardening agentic models against interaction with unverified/malicious web content and interpreting instructions embedded in the DOM/source code.