Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when external content isn’t treated as untrusted input. We’ve distilled our findings into five recommendations that any team building AI-powered products should consider before deployment. If you want to learn more about how Perplexity addressed these findings, please see their corresponding blog post and research paper on addressing prompt injection within AI browser agents. Background Comet is a web browser that provides LLM-powered agentic browsing capabilities. The Perplexity assistant is available on a sidebar, which the user can interact with on any web page. The assistant has access to information like the page content and browsing history, and has the ability to interact with the browser much like a human would. ML-centered threat modeling To understand Comet’s AI attack surface, we developed an ML-centered threat model based on our well-established process, called TRAIL. We broke the browser down into two primary trust zones: the user’s local machine (containing browser profiles, cookies, and browsing data) and Perplexity’s servers (hosting chat and agent sessions). Figure 1: The two primary trust zones The threat model helped us identify how the AI assistant’s tools, like those for fetching URL content, controlling the browser, and searching browser history, create data paths between these zones. This architectural view revealed potential prompt injection attack vectors: an attacker could leverage these tools to exfiltrate private data from authenticated sessions or act on behalf of the user. By understanding these data flows, we were able to systemat

Read Full Article at Trail of Bits Blog →