I switched from Chrome to an AI browser and got an imperfect glimpse of the future
Comet is vulnerable to LLM exploits
Large language models are vulnerable to something called “prompt injections,” which can happen whenever the LLM is made to process and interpret text. The problem is that when text is fed into an LLM, it isn’t always clear whether that text is from you or elsewhere.
For example, an LLM might process and analyze the source code of a web page to perform some kind of task. But the source code of a web page could potentially include hidden prompt instructions designed to hijack an AI that’s analyzing the source code. The LLM can’t distinguish the hidden prompt in the source code from the source code itself.
In other words, that hidden prompt was injected into the source code, and the AI will be none the wiser. Hence, prompt injection attack.
Chris Hoffman / Foundry
Security researchers at Guardio found that Comet was vulnerable to attacks like this, and that it could be tricked into falling for phishing scams while online shopping. Security researchers from Brave also found that Comet was vulnerable to indirect prompt injection attacks. Here’s the wildest part from Brave’s blog post:
“The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to ‘Summarize this webpage,’ Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands.”
Did you catch that? It’s not that Comet’s protections against prompt injection were bypassed, but rather that Comet (in its initial release) didn’t even have prompt injection protections that tried to distinguish between trusted user instructions and untrusted web page data sent to the AI model (at least with the summarization function).
This sort of thing is a known problem with large language models. While Comet now has better protections against this, it’s unclear how good those safeguards are. Comet hasn’t been properly battle-tested.
Other agentic AI browsing solutions—like ChatGPT’s agent mode—interact with websites by loading those websites in their own browser in the cloud apart from your data. Even when those LLMs are exploited by prompt injection attacks, at least the damage is somewhat limited.
But when the AI has access to everything in your browser—as is the case with Perplexity’s Comet—the risk goes up by quite a bit. From what I can tell, it seems like Perplexity is “moving fast and breaking things” while competitors are at least paying attention to security before launching.
