A new vulnerability in Perplexity’s Comet AI browser allows attackers to inject malicious prompts through seemingly innocuous screenshots.
Disclosed on October 21, 2025, this flaw builds on earlier concerns about prompt injection in agentic browsers, AI-powered tools that act on users’ behalf.
The discovery highlights ongoing risks in these emerging technologies, where hidden instructions can hijack user sessions and access sensitive data.
In their latest report, Brave’s Senior Mobile Security Engineer Artem Chaikin and VP of Privacy and Security Shivan Kaul Sahib detail how Comet’s screenshot feature, designed to let users query images from websites, can be exploited.
This is the second installment in Brave’s series on security challenges in agentic browsing, following a prior disclosure of a similar issue in Comet.
The researchers emphasize that such vulnerabilities are not isolated but represent a broader systemic problem across AI browsers.
Hidden Text In Screenshots Bypasses Safeguards
The attack exploits Comet’s ability to analyze screenshots for user questions. Attackers embed nearly invisible malicious instructions into web content, such as faint light blue text on a yellow background within images.
These instructions evade human detection but are extracted by the browser’s text recognition, likely through optical character recognition (OCR), and fed directly into the large language model (LLM) without proper sanitization.
Once a user takes a screenshot of the tainted page, the hidden commands masquerade as part of the legitimate query.
This tricks the AI into executing harmful actions, like navigating to phishing sites or extracting data from authenticated accounts.
For instance, if a user is logged into their bank or email, a simple screenshot could authorize transfers or data theft, as the AI operates with the user’s privileges.
Brave demonstrated the exploit in a controlled setup, showing how hidden prompts override user intent.
“AI browsers that take actions on your behalf are powerful yet extremely risky,” the researchers note, referencing a Malwarebytes report on how even summarizing a Reddit post could lead to financial loss.
This screenshot vulnerability echoes issues in other browsers, like Fellou, where navigating to a malicious site sends page content to the LLM, allowing visible instructions to manipulate queries.
Brave has withheld details about an additional browser flaw and plans to disclose more information soon. The implications are significant because traditional web protections, such as the same-origin policy, are ineffective here; untrusted content can influence the AI’s decisions.
Attackers could target everyday scenarios, browsing social media or forums to trigger cross-domain exploits affecting banks, healthcare portals, or cloud storage.
Brave responsibly reported the Comet issue to Perplexity on October 1, 2025, with public disclosure following on October 21 after the initial response.
The company urges isolating agentic features from regular browsing and requiring explicit user confirmation for sensitive actions. As agentic browsers gain traction, experts call for industry-wide safeguards.
Brave is exploring solutions through its research team and plans to roll out secure AI features for its 100 million users. Until then, users should approach these tools cautiously, especially with logged-in sessions.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
