The Dangers of AI Browsers
Perplexity said last week that Comet, its AI-powered browser, which previously required a monthly membership, will now be available to all users for free. Comet is a brand-new browser with an AI chatbot built in that can explore the web for you and perform tasks like sending emails, making purchases, and setting up calendar events on its own.
There’s only one problem. According to new research from cybersecurity firm LayerX, Comet’s internal AI was previously hijacked by malicious links, causing the browser to harvest personal information from linked services such as Gmail and transfer it to simulated attackers. It demonstrates that, while AI-powered browsers may increase user productivity, they can also create new risks.
The attack
LayerX uncovered a vulnerability known as “CometJacking,” in which a malicious prompt to the browser’s AI is buried within a URL. When the user clicks on that link, the browser interprets the malicious prompt as a command from the user and begins carrying it out. In LayerX’s example, the pretend attacker uses Comet to collect information from the user’s email and calendar accounts. While Comet features data theft protections, the attacker was able to circumvent them by telling the AI to encode the stolen information in base64 (effectively scrambling it to seem as innocent text) before transmitting it to a remote server under their control.
An indication of things to come
The most widely used browser right now is Google Chrome. However, some think that a new “browser war” might break out soon, driven by competitors like Perplexity’s Comet. (OpenAI has not yet launched its own AI-powered browser, although it is thought to be developing one as well.) According to LayerX CEO Or Eshed, browser developers may be creating new types of vulnerabilities as they hasten to incorporate AI functions. According to Eshed, we might be on the verge of entering “a world in which browsing becomes riskier.” “Old forms of attacks that have all but vanished will reappear, or even new forms of attacks like the one we recently found.”
The reaction of Perplexity
According to a blog post by LayerX, Perplexity “replied that it could not identify any security impact” after LayerX notified them of the vulnerability last month. According to a Perplexity spokeswoman, LayerX’s bug report was poorly written, the company did not answer questions, and Perplexity “later identified the issue independently and patched it.” The spokesman said, “We are thankful to the security community that takes part in our successful bounty program, and we’re working to ensure these types of miscommunication do not occur in the future.” The vulnerability was never exploited, the spokesperson said.
