CometJacking: How Perplexity AI Browser Could Make Your Data Vulnerable
Discover how CometJacking in Perplexity AI Browser exposes user data and learn ways to protect your privacy online.
Jersey City N.J., October 10, 2025
A recently disclosed vulnerability in Comet, an AI-powered browser developed by Perplexity, has sparked concerns over a new class of cyber threats. This is emerging from the increasing integration of artificial intelligence into web tools.
According to a report from Israeli cybersecurity firm LayerX, “CometJacking,” the flaw allows attackers to exploit Comet’s AI assistant using nothing more than a weaponised URL. Once clicked, the malicious link causes the AI to interpret hidden commands. While it grants access to sensitive personal data from connected services such as Gmail or Google Calendar.
LayerX demonstrated how an attacker could manipulate the AI to extract emails and calendar invites. Then encode them using base64 to evade detection, transmitting the data to an external server. All of it without the user noticing or providing credentials.
“The risk goes beyond passive data theft. This is about actively commanding an AI agent trusted with access to a user’s digital life,” said Or Eshed, CEO of LayerX.
A New Browser, a New Threat
Launched earlier this year, Comet represents a new wave of browsers that embed generative AI as their core function. Unlike conventional browsers, Comet can act autonomously. It can draft emails, schedule meetings, or even make online purchases, provided it has the user’s permission.
Security experts suggest that this very convenience could also be its weakness. The LayerX report reveals that Comet allows AI instructions to be passed directly via URL parameters. In the event of a malicious redirect or click, the AI assistant could be tricked into fetching data from user memory and executing further commands.
“This isn’t just about data; it’s about agentic misuse where the AI assistant becomes an unintentional accomplice,” said Aviad Gispan, one of the researchers involved in the discovery.
Perplexity’s Initial Response and Patch
While LayerX disclosed the vulnerability to Perplexity on August 27 under responsible disclosure protocols, the company initially stated that it could not identify any actionable security impact. However, following public reporting and further internal analysis, Perplexity confirmed that the issue had been identified independently and patched.
In a statement to TIME, a spokesperson for the company said, “The original bug report was vague, which led to confusion. We later addressed the issue through an internal investigation and have deployed a fix. No evidence of exploitation was found.”
The company also reiterated its commitment to engaging with the broader cybersecurity community and improving its internal triage process.
Implications for AI-First Browsing
The incident has reignited debate about the readiness of AI-native browsers to handle real-world threats. As companies like Google and OpenAI experiment with their own AI-infused browsing experiences, experts warn that security frameworks must evolve rapidly to match the complexity of these systems.
“We’re entering a world where hijacking a browser doesn’t mean hijacking the user, it means hijacking the AI agent acting on their behalf,” said Eshed.
For enterprises, the consequences could be more severe. In environments where browsers connect to internal systems, a single exploit can allow attackers to move laterally across networks, manipulate communication tools, and exfiltrate sensitive corporate data.
