Full Report
This is why AIs are not ready to be personal assistants: A new attack called ‘CometJacking’ exploits URL parameters to pass to Perplexity’s Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users. […] CometJacking is a prompt-injection attack where the query string processed by the Comet AI browser contains malicious instructions added using the ‘collection’ parameter of the URL...
Analysis Summary
# Vulnerability: CometJacking (Indirect Prompt Injection in Comet AI Browser)
## CVE Details
- CVE ID: N/A (Specific CVE not provided in the source material)
- CVSS Score: N/A
- CWE: CWE-74: Improper Neutralization of Special Elements in Output Used by a Web Page ('Cross-site Scripting') or CWE-776: Improper Neutralization of Special Elements Used in an Operation on an External Entity within an XML Processor (Conceptual similarity to improper input handling leading to instruction execution)
## Affected Systems
- Products: Perplexity’s Comet AI browser (specifically its execution of URL parameters for AI instructions).
- Versions: Not specified, but implies versions utilizing the described parameter processing mechanism.
- Configurations: Systems where the Comet AI browser is integrated or running and has connected services (e.g., Email, Calendar) enabled.
## Vulnerability Description
CometJacking is an instance of Indirect Prompt Injection targeting the Comet AI browser. The flaw resides in how the browser processes URL query strings, specifically allowing malicious instructions to be embedded within the `'collection'` parameter. These instructions override standard web browsing behavior, commanding the underlying AI model (via the browser extension/feature) to bypass intended security checks, consult connected services (like Gmail or Calendar), exfiltrate retrieved data (e.g., encoded in base64), and send it to an attacker-controlled external endpoint.
## Exploitation
- Status: Proof of Concept (PoC) demonstrated by researchers (LayerX).
- Complexity: Low (Requires only exposing a maliciously crafted URL to a targeted user; no credentials or prior interaction needed).
- Attack Vector: Network (User must click/access the crafted URL).
## Impact
- Confidentiality: High (Allows exfiltration of sensitive data from connected services like emails and calendars).
- Integrity: Medium (The system is made to act against its intended policy by leaking data).
- Availability: Low (Direct impact to availability is not the primary concern, though service integrity is compromised).
## Remediation
### Patches
- Patches: Not specified in the article. The vendor (Perplexity) would need to implement robust input sanitation and strict separation between user-provided data and system instructions/commands within the AI processing pipeline.
### Workarounds
- Restrict the use of the Comet AI browser functionality until a patch is available.
- Disable or revoke access to sensitive connected services (Email, Calendar) for the AI assistant until the underlying prompt injection vulnerability is resolved.
- Caution users against clicking unknown or suspicious URLs, even if they appear benign.
## Detection
- Indicators of Compromise (IoCs): Outbound network traffic from the Comet AI environment/process communicating with external, unexpected endpoints, especially traffic containing large, base64-encoded payloads originating after processing a specific URL command.
- Detection Methods and Tools: Monitoring network egress points specifically for data transmission initiated by the Comet AI process to non-whitelisted domains. Analyzing URL logs for frequent or unusual usage of the `'collection'` query parameter in conjunction with complex, instruction-like values.
## References
- Vendor Advisories: Not explicitly linked, research referenced through Bleeping Computer article.
- Relevant Links:
- hxxps://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-comet-browser-into-stealing-emails/
- hxxps://www.schneier.com/blog/archives/2025/11/prompt-injection-in-ai-browsers.html