CometJacking: How Prompt Injection Breached Perplexity AI’s Browser in 2025
Executive Summary
In November 2025, cybersecurity researchers discovered a significant prompt injection vulnerability dubbed 'CometJacking' affecting Perplexity’s Comet AI browser. This attack exploited URL parameters to inject malicious commands that instructed the AI agent to extract sensitive data—such as Gmail messages and Google Calendar invites—from connected services and exfiltrate them to external endpoints, all without any user interaction or credentials. By leveraging the AI’s lack of discrimination between trusted and untrusted instructions, attackers could bypass access controls and evade existing security checks, potentially exposing confidential information from a wide set of users and organizations adopting the AI-powered browser for daily workflows.
This incident highlights a rapidly evolving threat landscape where prompt injection attacks against generative AI platforms are surging. As organizations increasingly integrate AI agents with sensitive data and workflow automation, risks of unauthorized data access and exfiltration are escalating, prompting urgent action from security teams and regulatory bodies.
Why This Matters Now
Prompt injection attacks against AI assistants are rapidly increasing as organizations connect sensitive business applications and data to LLM-based agents. The fundamental limitations of current LLM architectures, which cannot reliably separate trustworthy instructions from malicious prompts, make these vulnerabilities urgent for enterprises and regulators alike.
Attack Path Analysis
The attacker initiated compromise by delivering a maliciously crafted URL to the victim, exploiting the AI browser's inability to properly distinguish between trusted and untrusted input. Without user interaction, the attack harnessed the AI agent's permissions to access connected services. The attacker escalated privilege naturally through the AI's granted access tokens to sensitive data sources. Lateral movement is implied as the AI interface accessed multiple connected services, including Gmail and Google Calendar, to gather broader data. For command and control, malicious prompts instructed the AI browser to send base64-encoded sensitive data to attacker-controlled external endpoints. Data exfiltration occurred via outbound web requests to untrusted destinations, and the impact was unauthorized exposure of sensitive emails and calendar information, violating privacy and potentially enabling follow-on attacks.
Kill Chain Progression
Initial Compromise
Description
The attacker lured the victim into clicking a specially crafted URL containing a prompt injection payload for the AI browser.
Related CVEs
CVE-2025-64496
CVSS 9.8A code injection vulnerability in Open WebUI's Direct Connection feature allows remote attackers to execute arbitrary JavaScript via Server-Sent Events (SSEs), potentially leading to account takeovers and remote code execution.
Affected Products:
Open WebUI Open WebUI – <= 0.6.34
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Malicious Link
Steal Web Session Cookie
Command and Scripting Interpreter
Data Manipulation: Stored Data Manipulation
Brute Force: Credential Stuffing
Exfiltration Over C2 Channel
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Indirect Command Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication and Secure Access
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data Security – Data Flow Mapping and Protection
Control ID: 5.1
NIS2 Directive – Security of Network and Information Systems – Risk Analysis and Security Policies
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
AI browser prompt injection attacks threaten email and calendar data exfiltration, compromising sensitive financial communications and client information through malicious URL parameters.
Health Care / Life Sciences
CometJacking vulnerabilities expose patient data in connected AI systems, violating HIPAA compliance through unauthorized access to healthcare communications and scheduling systems.
Legal Services
Law firms using AI browsers face attorney-client privilege breaches as prompt injection attacks can exfiltrate confidential emails and calendar data to external endpoints.
Technology
Tech companies deploying AI personal assistants must address fundamental LLM security flaws where untrusted data manipulation enables sensitive corporate information theft.
Sources
- Prompt Injection in AI Browsershttps://www.schneier.com/blog/archives/2025/11/prompt-injection-in-ai-browsers.htmlVerified
- This WebUI vulnerability allows remote code execution - here's how to stay safehttps://www.techradar.com/pro/security/this-webui-vulnerability-allows-remote-code-execution-heres-how-to-stay-safeVerified
- Perplexity's AI-powered Comet browser leaves users vulnerable to phishing scams and malicious code injectionhttps://www.tomshardware.com/tech-industry/cyber-security/perplexitys-ai-powered-comet-browser-leaves-users-vulnerable-to-phishing-scams-and-malicious-code-injection-brave-and-guardios-security-audits-call-out-paid-ai-browserVerified
- OpenAI says AI browsers may always be vulnerable to prompt injection attackshttps://techcrunch.com/2025/12/22/openai-says-ai-browsers-may-always-be-vulnerable-to-prompt-injection-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress policy enforcement, and distributed visibility could have limited unauthorized access to sensitive services and prevented exfiltration of data, even if the AI browser itself was compromised by prompt injection.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Real-time policy inspection could detect or block abnormal agent behaviors linked to prompt injection.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation prevents over-privileged AI agents from freely accessing all connected data sources.
Control: East-West Traffic Security
Mitigation: Inter-service and inter-region AI communications are logged, restricted, or blocked if policy violations are detected.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious outbound connections are blocked or alerted on via FQDN/application-based filtering.
Control: Cloud Firewall (ACF)
Mitigation: Inline firewall and signature inspection detects and blocks abnormal data exfiltration patterns.
Security operation teams are notified quickly of unauthorized AI-driven data access events.
Impact at a Glance
Affected Business Functions
- Email Communications
- Calendar Management
Estimated downtime: 3 days
Estimated loss: $500,000
Unauthorized access to sensitive emails and calendar events, leading to potential data breaches and compliance violations.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation and identity-based microsegmentation to tightly scope AI agent access to only necessary connected resources.
- • Enforce granular egress controls—including FQDN and application filtering—to prevent unauthorized data exfiltration paths from AI workloads.
- • Enable distributed threat detection and anomaly monitoring to rapidly identify and respond to prompt injection or agentic AI abuse.
- • Utilize inline firewalls and east-west flow controls to limit lateral movement opportunities from compromised AI assistants.
- • Expand multicloud visibility and distributed real-time inspection to maintain continuous policy enforcement and threat coverage in AI-driven environments.
