CometJacking: Single Click Transforms Perplexity’s Comet AI Browser into Data Stealer

Cybersecurity researchers have unveiled a new attack method known as CometJacking, which specifically targets Perplexity’s agentic AI browser, Comet. This attack involves embedding malicious prompts within seemingly harmless links to extract sensitive data from connected services, such as email and calendar applications. Michelle Levy, Head of Security Research at LayerX, emphasised that “CometJacking shows how a single, weaponised URL can quietly flip an AI browser from a trusted co-pilot to an insider threat.” The research indicates that simple obfuscation techniques can bypass data exfiltration checks, allowing attackers to access email, calendar, and other connector data with just one click. This highlights the urgent need for AI-native browsers to incorporate security-by-design measures for agent prompts and memory access, rather than solely focusing on page content.

The CometJacking attack unfolds in five steps, initiated when a victim clicks on a specially crafted URL, which may be delivered via phishing emails or embedded in web pages. Instead of directing the user to the intended destination, the URL instructs the Comet browser’s AI to execute a hidden prompt that captures user data from services like Gmail, obfuscates it using Base64 encoding, and sends it to an endpoint controlled by the attacker. Although Perplexity has downplayed the security implications of these findings, they underscore the new risks posed by AI-native tools that can circumvent traditional security measures. Or Eshed, CEO of LayerX, warned that “AI browsers are the next enterprise battleground,” urging organisations to implement controls that can detect and neutralise malicious agent prompts before they evolve into widespread threats.