Perplexity Comet Agent Security Risks

Browser Agents perplexity.ai Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (4) ATTACK SURFACE (7.24) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.11
High
Attack Surface
7.24
Critical
Blast Radius
5.5
High
Defense Controls
4
High
About The Agent

Perplexity Comet is a Chromium-based agentic browser that runs as a desktop and mobile application with a cloud-hosted AI backend processing user requests through autonomous browser automation. The assistant is enabled by default with access to browsing history, authenticated web sessions, and multi-step task execution across navigation, email, shopping, and file handling. The dominant risk surface stems from the absence of an instruction hierarchy separating user commands from untrusted page content — every independent security assessment has exploited this gap to demonstrate end-to-end data exfiltration through the browser agent's own tool set.

About the AI Risk Quadrant

Exposed Giants describes agents with a high attack surface but moderate blast radius, where the gap between input exposure and output control creates persistent exfiltration channels that vendor-implemented defenses do not close. Perplexity Comet lands here because its browser automation ingests untrusted content across multiple channels and transmits data to arbitrary endpoints, while the blast radius is bounded by the browser session scope rather than extending to cloud infrastructure or deployment pipelines. The vendor documents basic input filtering and domain-blocking toggles, but every defense component remains at or below the basic tier on the default consumer configuration.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The default consumer configuration exposes broad input ingestion, unsandboxed browser tool execution, autonomous actions without approval gates, unrestricted outbound navigation, and consumer-tier monitoring with no anomaly detection.

Key Input Risks
The browser assistant ingests untrusted webpage DOM content, hidden HTML elements, calendar invites, email bodies, and URL query parameters alongside user prompts with no instruction hierarchy. Independent red-team assessments confirmed indirect prompt injection through hidden page content in the default consumer configuration.
Key Execution Risks
Browser automation tools execute navigation, clicking, typing, and data extraction within the user's fully authenticated session with no sandbox or privilege boundary. No documented isolation tier separates the agent's tool execution from the user's live credentials, open tabs, and browsing context.
Key Action Risks
The consumer default fires browser navigation, email drafting, shopping transactions, and file interactions autonomously without per-action approval gates — disable the assistant toggle or restrict individual capabilities in Settings > Comet to block the autonomous execution path. The highest-blast-radius scope includes authenticated access to email, password manager interfaces, and payment autofill data within the shared session.
Key Output Risks
The agent navigates to arbitrary URLs and transmits data via URL parameters, form submissions, and POST requests without documented data-loss prevention or domain restrictions. Independent testing confirmed base64-encoded exfiltration that bypassed the platform's output content checks in the default configuration.
Key Monitoring Risks
Consumer-tier monitoring provides basic browsing activity visibility with no documented anomaly detection, SIEM forwarding, or real-time alerting on agent actions. Enterprise-tier runtime detection integration and centralized audit logs are opt-in add-ons that do not apply to the default consumer posture.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. The composite score reflects an agent whose broad input ingestion and minimal default defenses are partially offset by a browser-scoped blast radius.

AIRQ Metrics

Perplexity Comet lands in the Exposed Giants quadrant — high Attack Surface driven by demonstrated exploitability, moderate Blast Radius bounded by browser-session scope, and near-absent vendor-implemented Defense Controls on the default consumer configuration. For a deployment decision, this means the agent should not handle sensitive workflows without the hardening controls described below; a pilot deployment should restrict outbound navigation and add per-action approval gates before granting access to authenticated sessions.

Each row below summarizes one axis of the composite score, with Attack Surface and Blast Radius on a ten-point scale and Defense Controls out of fifteen.

Metric Score Comments
AIRQ Score 4.11 The composite places hardening priority on input filtering and egress controls, where the gap between demonstrated exploitability and absent defenses is widest.
Blast Radius 5.5 / 10 Network access and credential exposure carry the highest factor scores; the user's authenticated session is the blast ceiling, with no path to cloud infrastructure or deployment systems.
Attack Surface 7.24 / 10 Dominant drivers are user input and external data ingestion at adjusted ceiling, with all three trifecta conditions confirmed by independent assessments.
Defense Controls 4 / 15 The vendor documents basic input filtering and domain-blocking toggles but no execution isolation or per-action approval gates on the default consumer configuration.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are the unfiltered ingestion of untrusted webpage content, calendar invites, and email bodies alongside user prompts, with no instruction hierarchy separating operator commands from adversarial input.

Attack Surface Metrics

Higher scores reflect surfaces where independent researchers have demonstrated end-to-end exploitation, with the two input channels and four tool-interaction axes reaching adjusted ceiling.

Each row maps an interaction channel to its base exposure band, evidence-adjusted score, and a comment summarizing the agent-specific findings that anchor the assessment.

Surface Score Comments
User Input 5 / 4 Accepts user prompts and auto-reads webpage DOM including hidden elements and spoiler tags; hidden instructions in page content extracted user credentials for full account takeover. [3][8][13]
External Data 5 / 4 Ingests calendar invite content, email bodies from authenticated sessions, and URL query parameters; a zero-click calendar invite attack triggered autonomous local file exfiltration without user interaction. [1]
Memory 2 / 4 Browsing data stored locally with assistant accessing history and cross-tab context by default; no automated cross-session learning loops found in vendor documentation or independent testing as of May 2026. [12]
Reasoning 3 / 4 The reasoning loop processes untrusted web content without an instruction hierarchy; a pre-launch audit demonstrated four injection techniques hijacking the loop to exfiltrate private emails. [2][14]
Planning 3 / 4 Multi-step task planning executes browser workflows autonomously; testing showed the agent following phishing links, entering payment details on fraudulent stores, and executing attacker-directed plans. [7]
Tool Execution 4 / 4 Browser automation includes navigation, clicking, typing, and screen-coordinate interaction; a UXSS through the extension externally_connectable wildcard escalated to full agent control. [4]
Orchestration 2 / 4 Three custom extensions communicate via Chrome messaging API with SSE for chat and WebSocket for agent actions; single-session model with no background daemon operation. [9]
Inter-Agent 3 / 4 A hidden MCP API in the browser extensions enabled device-level control from a compromised domain; the API was silently disabled after public disclosure. [5]
Output Processing 4 / 4 The agent emits browser navigation and HTTP requests carrying data to arbitrary endpoints; URL parameter injection triggered memory and email exfiltration with base64 encoding bypassing content checks. [6]
Configuration 4 / 4 Default consumer configuration ships with the assistant enabled and browsing history access active; extension permissions previously included externally_connectable wildcards enabling cross-origin agent control. [4][8]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Perplexity Comet ingests untrusted webpage and calendar content, accesses authenticated email and password manager vault interfaces, and navigates to arbitrary external endpoints — all within the same browser session.

Lethal Trifecta · Complete (3 of 3)

Perplexity Comet exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — The assistant reads webpage DOM content, hidden HTML, calendar invite payloads, and email bodies from authenticated sessions as first-class input to the reasoning loop. [3]
  • Sensitive data — The agent operates within authenticated browser sessions accessing Gmail content, password manager vault interfaces, payment autofill data, and local files through the shared session context. [1]
  • External egress — Outbound channels include unrestricted URL navigation, form field submission, and HTTP POST requests to attacker-controlled endpoints with no documented domain allowlist on the default configuration. [2]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised agent reaches the user's authenticated browser session including email, credentials, and payment data, but does not extend to cloud infrastructure or deployment pipelines.

Blast Radius Metrics

Higher scores reflect factors where the agent's default scope grants access to sensitive resources through the shared browser session without additional operator provisioning.

Each row maps a downstream resource category to the agent's documented reach, with comments citing the specific access paths confirmed by independent assessment.

Factor Score Comments
Code execution 2 / 4 Browser automation tools execute navigation and interaction within the user's session context; no shell or arbitrary code execution capability is documented, but browser actions trigger JavaScript execution sandboxed within the Chromium content process. [9]
File system access 2 / 4 Pre-patch file:// traversal enabled local file access and exfiltration; a hard boundary now blocks agent file:// access, with residual exposure from download triggers. [1][16]
Network access 3 / 4 The agent navigates to arbitrary URLs including attacker-controlled endpoints without outbound domain restrictions; data exfiltration via URL parameters and HTTP POST confirmed by independent testing. [2]
Credential access 3 / 4 The agent operates within authenticated sessions with demonstrated access to Gmail credentials, password manager vault interfaces, and payment autofill data through the browser session. [1]
Autonomous action 2 / 4 The consumer configuration executes browser workflows without per-action approval; enterprise administrators can restrict capabilities and set approvals, but default consumer scope is unrestricted. [7]
Deployment access 1 / 4 No documented capability to reach operator cloud infrastructure or production systems beyond the local browser; enterprise deployment uses MDM with centralized management. [11]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents basic input filtering and consumer-facing toggles but ships no execution isolation, per-action approval gates, or consumer-tier anomaly detection on the default configuration.

Defense Controls Metrics

Higher scores indicate stronger vendor-implemented safeguards; all five components remain at or below the basic tier, with execution isolation entirely absent on the default configuration.

Each row summarizes what the vendor implements by default versus what requires operator configuration, with the confidence marker indicating the evidence tier behind the assessment.

Component Score Comments
Input Guardrails 1 / 3 The vendor claims prompt injection protection on the enterprise page, but multiple independent researchers demonstrated bypasses; fixes were noted as incomplete weeks after initial patching. [10]
Execution Isolation 0 / 3 No sandbox or privilege boundary exists between the agent's tools and the user's authenticated session; the documented sandbox API applies to other products, not the browser agent. [16]
Action Controls 1 / 3 Users can toggle the assistant and block specific domains; enterprise administrators have granular controls including domain blocking and task limiting, but consumer default has no approval gates. [12]
Output Guardrails 1 / 3 Basic exfiltration checks exist at the platform level, but base64 encoding bypassed them; no documented outbound URL allowlist or data-loss prevention layer in the default configuration. [6]
Monitoring 1 / 3 Consumer version offers basic activity visibility with no anomaly detection or SIEM forwarding capability; enterprise tier adds telemetry, audit logs, and CrowdStrike Falcon runtime detection as opt-in add-ons. [17]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta by restricting outbound navigation and adding per-action approval gates, then layering input filtering and consumer-tier monitoring.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all browser agent tasks to pass through an external prompt-injection detection layer before reaching the reasoning loop — counters the demonstrated indirect injection attacks through webpage content.
  • Configuration Enable domain blocking in settings for all untrusted content sources and restrict the assistant's browsing context to operator-approved sites — counters the webpage-content injection vector.
  • Engineering Deploy a content-security proxy that strips hidden HTML elements, spoiler tags, and invisible div content from pages before assistant processing — counters the injection techniques from independent assessments. [15]

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Establish a policy requiring browser agent sessions to run in a dedicated profile isolated from primary credentials and sensitive accounts — counters the authenticated-session exploitation path.
  • Configuration Configure Incognito mode by default for all agent-assisted browsing to prevent history indexing and reduce session data available to a compromised agent — counters the context persistence vector.
  • Engineering Implement a browser-extension firewall restricting the agent's Chrome extension communication channels to a documented allowlist of internal endpoints — counters the extension-level attack surface.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Mandate that all agent-initiated transactions involving payment, credential entry, or data submission require explicit user confirmation — counters the autonomous shopping and credential-handling risks.
  • Configuration Configure domain blocking in Settings > Comet to prevent the agent from navigating to URLs not on an operator-maintained allowlist — counters the arbitrary-URL navigation used in exfiltration.
  • Engineering Build an approval-gate integration intercepting agent-initiated form submissions and email drafts for operator review before sending — counters the demonstrated email and data exfiltration workflows.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require all agent-initiated outbound data transmissions to pass through a data-loss prevention proxy with encoding-aware inspection — counters the base64-encoded exfiltration bypass.
  • Configuration Configure network-level URL filtering to block agent navigation to non-allowlisted external domains — counters the unrestricted outbound navigation used for silent data exfiltration.
  • Engineering Deploy an egress monitor logging and alerting on all agent-initiated HTTP POST requests and URL-parameter transmissions to external endpoints — counters the multiple demonstrated exfiltration channels.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Establish a policy requiring all deployments to forward agent activity telemetry to the organization's SIEM for centralized correlation — improves monitoring_audit from score 1 toward score 3 by adding the anomaly detection and log aggregation absent from the default configuration.
  • Configuration Enable runtime detection integration for all enterprise deployments to add behavioral detection to the agent's browser session — counters the absence of built-in anomaly detection.
  • Engineering Instrument the browser extension communication channels to log all SSE, WebSocket, and Chrome messaging traffic for post-incident forensic analysis — counters the opaque orchestration architecture.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. PleaseFix/PerplexedBrowser zero-click agent hijack Zenity Labs disclosed a zero-click attack exploiting Comet calendar-invite processing to exfiltrate local files and steal 1Password credentials via authenticated browser session.
  2. Trail of Bits Comet prompt injection audit Trail of Bits pre-launch adversarial audit demonstrating four prompt injection techniques that extracted private Gmail emails through the browser assistant.
  3. Brave indirect prompt injection in Comet Brave researchers demonstrated hidden Reddit spoiler tag instructions causing Comet to extract user email and OTP for full account takeover.
  4. Hacktron Comet UXSS via extension escalation Hacktron found a UXSS path through externally_connectable wildcard combined with subdomain XSS escalating to full browser agent control.
  5. SquareX Comet hidden MCP API disclosure SquareX discovered hidden Chrome extension MCP API capable of device-level control if the perplexity.ai domain were compromised.

Selected Research

  1. LayerX CometJacking URL parameter injection LayerX demonstrated weaponized URL instructing Comet to access user memory and connected services with base64-encoded exfiltration bypassing platform checks.
  2. Guardio Labs Scamlexity agentic browser testing Guardio Labs tested Comet as primary subject showing it following phishing links, entering payment details on fake stores, and executing CAPTCHA-disguised prompt injection.
  3. Alice indirect prompt injection in Comet Alice researchers found invisible div elements and Google Workspace document payloads could inject instructions into Comet assistant for phishing.
  4. Zenity Labs Comet architectural reverse engineering Zenity Labs reverse-engineered three custom Chrome extensions documenting RPC, WebSocket, SSE channels and ComputerBatch, ReadPage, GetPageText tool set.

Vendor Documentation

  1. Perplexity security and compliance overview Vendor security page documenting SOC 2 Type II certification, GDPR compliance, HIPAA-aligned safeguards, and PCI payment security.
  2. Comet Enterprise admin controls and deployment Comet Enterprise page describing granular assistant controls, domain blocking, CrowdStrike Falcon integration, MDM deployment, and audit logs.
  3. Comet Help Center privacy and assistant controls Help Center documenting user-facing privacy settings including assistant toggle, domain blocking, local-only browsing data, and Incognito mode.
  4. Perplexity vulnerability disclosure program Vendor VDP covering all Perplexity products including Comet, with scope definitions and responsible disclosure process.
  5. Perplexity Comet launch announcement Vendor blog post announcing Comet with capabilities overview including autonomous browsing, task execution, and web interaction features.

Other Sources

  1. OWASP LLM01 Prompt Injection OWASP ranks prompt injection as the number-one LLM risk, explicitly covering indirect injection via untrusted web content in browser agent scenarios.
  2. The Register PleaseFix vulnerability coverage The Register reported on the PleaseFix disclosure timeline covering discovery, partial patch, view-source bypass, and final fix.
  3. CrowdStrike Falcon integration for Comet Enterprise CrowdStrike partnership announcement bringing Falcon runtime detection, governance, and data protection to Comet Enterprise.