A report published today by LayerX finds that the Comet artificial intelligence (AI) browser developed by Perplexity is susceptible to prompt injection attacks that can be used to compromise application environments.
LayerX CEO Or Eshed said the company was able to show a proof of concept of a CometJacking attack through which it weaponized a single URL to inject a prompt through which it gained access to applications that the Comet browser could access. In theory, cybercriminals could embed malicious prompts in a malicious web page or the comments section of a legitimate website to gain access to data residing in any application that has been integrated with the Comet browser, said Eshed.
Additionally, a malicious URL could also be embedded into any piece of code that the Comet browser might also access, noted Eshed. For example, if an end user asked Comet to rewrite an email or schedule an appointment, the email content and meeting metadata that might be residing in memory can be exfiltrated. Because Perplexity’s AI browser can integrate with connectors, any action performed might expose sensitive personal data.
As a result, a cybercriminal could attempt to exfiltrate sensitive information by instructing the browser to generate Python code that transmits results to a remote server. While Perplexity applies safeguards to block the direct sending of sensitive data, these protections can be easily bypassed, noted Eshed.
LayerX has alerted Perplexity to the issue, which the provider of the Comet browser currently views as a weakness that is beyond its control to remediate. Less clear is to what degree this same issue might also impact other AI browsers that have emerged in the last few months, but like any new emergent technology, cybersecurity teams should assume none of these offerings have, from a cybersecurity perspective, been battle-tested.
As a provider of a tool that scans websites for malicious URLs, LayerX views the rise of AI browsers as validation of its research and development efforts. However, it’s impossible to know whether organizations will adopt a scanning tool to make AI browsers more secure. The one certain thing is regardless of what policies may be adopted, many end users are going to install AI browsers on their machines. Cybersecurity teams, as a result, should start mapping now which AI browsers are installed on endpoints along with the applications they are accessing, said Eshed.
Cyberattacks aimed at browsers have largely disappeared as a threat vector because of security capabilities that have been embedded in their core engines. AI browsers, however, are accessing data outside of a sandbox environment, so it becomes possible to use a prompt to issue a set of malicious instructions, noted Eshed. That capability, in effect, means AI browsers are about to become a focal point for cybersecurity attacks, said Eshed.
It’s not clear yet whether any cybercriminals have used the technique described by LayerX to compromise an AI browser, but now that it is being widely shared the one certain thing is that Comet browsers are about to be put to the ultimate real-world test.
Recent Articles By Author