When your AI browser becomes your enemy: the Comet security disaster

Perplexity's Comet browser reveals what happens when companies rush AI agents to market without solving a fundamental design problem: these systems can't distinguish between your commands and instructions hidden in the websites they're visiting. An attacker can embed malicious instructions anywhere—blog posts, social media, product reviews, even image alt-text—and Comet will execute them as if they came from you.

The vulnerability works because AI browsers broke the traditional security model on purpose. Regular browsers act like bouncers, showing you content but not really "understanding" it. Comet replaced that bouncer with what VentureBeat calls "an eager intern" that reads, understands, and acts on everything it sees—but can't tell friend from foe. When that intern has access to your email, calendar, and authenticated sessions across every site, a single poisoned webpage becomes a remote control for your digital life.

This connects to the pattern we saw with Microsoft's EchoLeak vulnerability: AI agents operating with user privileges but lacking the context to separate trusted from untrusted input become insider threats. The difference here is scale—Comet's flaw isn't a bug to patch but a design problem affecting any AI that processes untrusted web content while holding credentials.

The real concern is that every company building AI browsers faces the same challenge. Traditional web security relies on sandboxing—keeping sites in separate boxes so Facebook can't mess with Gmail. AI browsers intentionally break those boundaries to understand connections across sites, and attackers exploit the same broken walls.

Venturebeat got this right, we're racing to deploy autonomous agents without solving the fundamental question of how they distinguish friend from foe.

https://venturebeat.com/ai/when-your-ai-browser-becomes-your-enemy-the-comet-security-disaster