A new attack called 'CometJacking' exploits URL parameters to pass to Perplexity's Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar.
In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users.
Comet is an agentic AI browser that can autonomously browse the web and, depending on the access it has, assist users with various tasks, such as managing emails, shopping for specific products, filling forms, or booking tickets.
Although the tool still has notable security gaps, as Guardio Labs showed in recent research, its adoption rate is increasing constantly.
The CometJacking attack method was devised by LayerX researchers, who reported their findings to Perplexity in late August. However, the AI company responded that it did not identify an issue, marking the report as “not applicable.”
How CometJacking works
CometJacking is a prompt-injection attack where the query string processed by the Comet AI browser contains malicious instructions added using the ‘collection’ parameter of the URL.
LayerX researchers say that the prompt tells the agent to consult its memory and connected services instead of searching the web. As the AI tool is connected to various services, an attacker leveraging the CometJacking method could exfiltrate available data.
In their tests, the connected services and accessible data include Google Calendar invites and Gmail messages and the malicious prompt included instructions to encode the sensitive data in base64 and then exfiltrate them to an external endpoint.
According to the researchers, Comet followed the instructions and delivered the information to an external system controlled by the attacker, evading Perplexity's checks.
... continue reading