CometJacking: One Click Can Turn Perplexity's Comet AI Browser Against You (layerxsecurity.com)

LayerX disclosed a critical vulnerability in Perplexity’s Comet AI browser: a single crafted URL (a “view” URL whose query string Comet parses as agent instructions) can coerce the assistant to read sensitive user memory and connected services (Gmail, Calendar, contacts) and exfiltrate data—without any malicious page content or user credentials. The attack works by embedding a prompt and parameters (e.g., an unrecognized "collection" value that forces memory lookup) that tell Comet to summarize or export previously exposed items, encode them (LayerX used base64), generate a small script (Python) and POST the encoded payload to an attacker-controlled endpoint. LayerX produced PoCs that harvested emails and calendar entries; because the payload is trivially encoded, it bypasses Comet’s existing exfiltration checks. This finding is significant because it reveals a new attack surface unique to agentic, AI-native browsers: attackers don’t need phishing credentials or page-text prompt injections—the attacker simply hijacks the trusted agent already authorized to user data. For enterprises this elevates risk from passive data leakage to active command execution, lateral movement, and impersonation. Mitigations should include strict URL/query sanitization, whitelisting of allowed view parameters, stronger memory-access controls, and detection of encoded-exfiltration patterns. LayerX reported the issue to Perplexity on Aug 27, 2025; Perplexity deemed it Not Applicable, underscoring urgency for independent review and defensive design around AI browser agents.