CometJacking: Is Your Browser a Security Vulnerability?
AI is everywhere, promising to aid in efficiency, save costs, and increase access to information. While that all sounds great, today’s update is a reminder that new technologies may create risks that outweigh reward. Business owners need to be able to balance the benefits that AI-assisted programs confer against the risk of data exploitation, and should continue asking: “do I really need AI for this?”
The Comet Browser
Perplexity AI launched Comet, an AI-powered Chromium-based web browser, in July of 2025.
I can’t lie, its capabilities are amazing.
Comet uses agentic AI as a personal assistant to automate tasks and streamline workflows in one integrated system. A quick search (perhaps even in a Comet browser) yields hundreds of results on how users are interacting with the tech in unique ways from organizing tabs in web browsers, drafting and summarizing emails, acting as a personal shopper, filling out forms, automating CMS tasks and organizing calendars.
AI agent cannot perform all of these tasks, however, without access to a significant amount of personal information and authorizations, including email access, browser history access, payment information and authorizations, and possibly even access to corporate servers or document management systems. You can see how this could become a liability.
Browser Vulnerability Findings
In August 2025, LayerX—a cybersecurity research and services firm—identified and disclosed a novel prompt-injection attack (“CometJacking”) that weaponizes a single URL to obtain connected user data (emails, calendar entires, etc.) without the need for credentials. Here is a video of the process in action.
As shown, when a Comet user clicks the URL, it opens a new browser/chat tab with the malicious prompt directing Comet to siphon specified information stored in Comet’s memory. Though the video shows the prompt pulling email information, the applications for this type of malicious attack are endless. Theoretically, similar prompts could be used to obtain any data that Comet has access to, or to carry out functions on behalf of users for any connected services that Comet has been given authorizations to use (i.e., to make purchases, send money, send mass emails to a users’ stored contacts). For business purposes, a similar prompt could be created to access files on a connected business server, exposing the entire company’s data to theft.
LayerX’s CometJacking prompt contained a set of instructions to first encode the siphoned information, and then export it to a hacker-controlled remote server. This simple instruction allowed the hackers to obfuscate Perplexity’s existing guardrails to protect user data from leakage. Fortunately, Perplexity has patched this security vulnerability and the original CometJacking prompt no longer works to harvest data. But the situation begs the question: if this simple prompt was enough to create such a significant vulnerability, what other, similar prompt chains may do the same? And, is it worth it to be an early-adopter for new browser technologies?
Over time, as browsers are released and adopted, AI developers will have more information from their own testing, and user feedback, to investigate and patch potential vulnerabilities and blindspots, (theoretically) enabling each iteration of AI systems to be more secure. But what can businesses do in the meantime?
What Can Businesses Do?
Phishing scams are not new, and many businesses already have security training programs and policies in place for utilization of business technology. Now, however, AI-powered browsers create risk on a much grander scale. Rather than inadvertently exposing a single password for a single system, CometJacked employees will unwittingly surrender access to all systems and data to which their browsers have authority. Given the escalated risks, it is more important than ever that businesses are thoughtful about using (or prohibiting the use of) new technology.
Here are some practical tips that businesses can employ to mitigate risks from browser hacks:
Be wary of taking first-adopter positions with new web browsers. Though Perplexity was the first to integrate AI on such a grand scale, it is expected that other AI giants will roll out new browsers in short order. Businesses should wait until these new browsers have been tested by ethical hackers, security researchers, and the public to get a read on safety and efficacy.
Limit the scope of AI use. Before implementing AI, identify the AI use case, the benefit conferred, and if AI is necessary for the intended purpose. Yes. It is cool to use new technology. But, every system that has access to company data also creates a point of vulnerability. Balancing risks and reward will help you decide whether AI is right for the job now, should be examined in the future, or is simply not a good fit.
Implement browser policies. These policies should include a list of approved browsers, and prohibit employees from using unapproved browsers—whether on work or personal computers—to complete work functions (including checking emails and performing web searches for business purposes).
Do not grant AI browsers broad authority. Rather, use least privilege principles to grant the minimal level of access needed for AI to be effective. This means limiting which integrations your AI systems use, omitting automatic authority for sensitive systems such as emails, payroll systems, or any systems that contain sensitive or proprietary information. This may even involve the use of a network proxy to limit the external domains a browser has access to.
Require user confirmations for certain tasks. Before automating functions, determine the worse case scenario in the event of self-automation. For sensitive tasks, require a human to confirm a task before an agent may undertake it. For very sensitive tasks, requiring a specific human prompt (rather than just confirmation of an action suggested by AI) may be more appropriate.
Hire professionals to audit vulnerabilities and data egress. Security experts can attempt prompt injection attacks and other forms of adversarial testing (ethical hacking) to confirm efficacy of browser filters, or if there are other blindspots in your browser securities. They can also set up data loss prevention systems to monitor outgoing payloads of data for sensitive content.
Update all technology on a regular basis. Though software updates can be annoying and time consuming, updates often contain critical security patches, and should be installed as soon as updates are available. Businesses should implement procedures for devices to update on a regular basis, if not automatically.
Train employees in how to use any new technology, and the potential dangers in using unapproved browsers. Employees are the gatekeepers of a business’s data safety, and data is only as safe as the employees tasked with overseeing it. Accidents happen, but employees who are not trained, and not tech savvy are more likely to click malicious links like the one in the CometJacking hack.
While AI poses exciting and unlimited opportunities, businesses should prioritize thoughtful implementation over adoption for the sake of adoption.
