Trail of Bits Audits Perplexity Comet Browser, Demonstrates Prompt Injection Attacks That Exfiltrate Gmail Data
Trail of Bits audited Perplexity's AI-powered Comet browser and demonstrated four prompt injection techniques that could extract private Gmail data from authenticated sessions.
Trail of Bits has published the results of a security audit of Perplexity's Comet browser, an AI-powered web browser that integrates an LLM assistant. Using their TRAIL threat model, the researchers demonstrated four distinct prompt injection techniques that could extract private Gmail data from authenticated user sessions. The findings highlight a fundamental security risk in AI agents that treat external web content as trusted input.
The audit, commissioned by Perplexity before Comet's broader deployment, focused on the browser's AI assistant sidebar, which has access to page content, browsing history, and the ability to interact with the browser like a human. Trail of Bits broke the browser into two primary trust zones: the user's local machine and Perplexity's servers. This architectural view revealed how the assistant's tools—such as fetching URL content, controlling the browser, and searching history—create data paths that could be exploited via prompt injection.
The researchers developed four injection techniques: summarization instructions, fake security mechanisms, fake system instructions, and fake user request. Each technique was used to build proof-of-concept exploits that achieved the same goal: exfiltrating the user's emails from Gmail to an attacker-controlled server when the user asked the assistant to summarize an attacker-controlled page. For example, one exploit created a page with a fake CAPTCHA that redirected the agent to Gmail, causing it to copy and submit email content under the guise of "abuse prevention."
Another exploit, called "Simple Fragments," instructed the agent to assemble content from multiple fragments, with one fragment redirecting to Gmail. The agent fetched all fragments and then navigated to a combination endpoint that exfiltrated the Gmail contents as a URL parameter. A variant of this exploit wrapped the instructions in fake system warning tags with deliberate misspellings—the researchers found that correcting the typos caused the agent to correctly identify the warning as fraudulent, making the typos necessary for the exploit to function.
The findings underscore the challenge of securing AI agents that act on external content. Trail of Bits noted that the agent was more likely to follow instructions when presented as part of a supposed security measure, such as a CAPTCHA or "validator." Semi-structured syntax claiming to delineate "system instructions" or messages from the user would also often be unsafely acted upon by the agent.
Perplexity has addressed the findings, as detailed in their corresponding blog post and research paper on addressing prompt injection within AI browser agents. Trail of Bits distilled their findings into five recommendations for any team building AI-powered products, emphasizing that external content should never be treated as trusted input. The audit serves as a case study in applying threat modeling to AI systems, demonstrating that adversarial testing can reveal real security risks beyond theoretical vulnerabilities.