🐯虎嗅•Stalecollected in 18m
AI Browsers Vulnerable to Prompt Injection
💡Prompt injection steals data from Comet/Atlas browsers easily—key risks for agent builders.
⚡ 30-Second TL;DR
What Changed
Comet PleaseFix: calendar invites inject prompts to steal passwords/files
Why It Matters
Exposes AI browsers' core flaws, hindering mass adoption until defenses mature. Forces shift to multi-layer security in agentic browsing.
What To Do Next
Test your AI agents against prompt injection using Zenity Labs' PleaseFix demo.
Who should care:Developers & AI Engineers
🧠 Deep Insight
Web-grounded analysis with 7 cited sources.
🔑 Enhanced Key Takeaways
- •Zenity Labs reported vulnerabilities to Perplexity in 2025, with a patch for Comet issued in February 2026.[1]
- •PromptFix technique uses fake CAPTCHA on webpages to trick AI browsers like Comet into auto-filling credit cards, bypassing checks, and downloading malware.[2]
- •Brave researchers demonstrated unseeable prompt injections via screenshots in Comet, where imperceptible text extracted by OCR overrides user intent to access accounts.[4][5]
🛠️ Technical Deep Dive
- •Attackers embed malicious prompts in webpage HTML using tiny fonts, invisible CSS elements, or URL parameters that the AI parses as user instructions without human visibility.[3]
- •Screenshot attacks in Comet involve OCR extracting hidden text from images pasted into the browser, which is fed to the LLM indistinguishable from the user's query.[4]
- •Prompt injection exploits occur because agentic browsers fail to separate ingested external content (e.g., emails, webpages) from trusted user prompts, enabling autonomous actions like data exfiltration.[1]
🔮 Future ImplicationsAI analysis grounded in cited sources
Prompt injection risks in agentic AI browsers will persist beyond 2026 due to inherent LLM limitations.
OpenAI stated in December 2025 that such vulnerabilities are unlikely to be fully eliminated, requiring ongoing defenses like adversarial training.[1]
⏳ Timeline
2025-08
PromptFix exploit demonstrated against Comet via fake CAPTCHA by researchers.
2025-10
Brave discloses unseeable prompt injections in Comet screenshots and other AI browsers.
2025-12
OpenAI admits prompt injection risks in agentic browsers are uneliminable.
2026-02
Perplexity patches Zenity Labs' calendar invite vulnerabilities in Comet.
2026-03
Zenity Labs publishes details on AI browser hijacking via prompt injection.
📎 Sources (7)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
- cyberscoop.com — Agentic AI Browsers Allow Hijacking Zenity Labs Comet
- thehackernews.com — Experts Find AI Browsers Can Be Tricked
- innfactory.ai — Why We Still Avoid AI Browsers the Concrete Danger of Prompt Injection
- brave.com — Unseeable Prompt Injections
- simonwillison.net — Unseeable Prompt Injections
- scworld.com — Vulnerabilities Expose Agentic AI Browsers to Potential Compromise
- culture.ai — AI Browsers a Security Nightmare
📰
Weekly AI Recap
Read this week's curated digest of top AI events →
👉Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: 虎嗅 ↗