Source URL: https://simonwillison.net/2025/Aug/25/agentic-browser-security/#atom-everything
Source: Simon Willison’s Weblog
Title: Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet
Feedly Summary: Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet
The security team from Brave took a look at Comet, the LLM-powered “agentic browser" extension from Perplexity, and unsurprisingly found security holes you can drive a truck through.
The vulnerability we’re discussing in this post lies in how Comet processes webpage content: when users ask it to “Summarize this webpage,” Comet feeds a part of the webpage directly to its LLM without distinguishing between the user’s instructions and untrusted content from the webpage. This allows attackers to embed indirect prompt injection payloads that the AI will execute as commands. For instance, an attacker could gain access to a user’s emails from a prepared piece of text in a page in another tab.
Visit a Reddit post with Comet and ask it to summarize the thread, and malicious instructions in a post there can trick Comet into accessing web pages in another tab to extract the user’s email address, then perform all sorts of actions like triggering an account recovery flow and grabbing the resulting code from a logged in Gmail session.
Perplexity attempted to mitigate the issues reported by Brave… but an update to the Brave post later confirms that those fixes were later defeated and the vulnerability remains.
Here’s where things get difficult: Brave themselves are developing an agentic browser feature called Leo. Brave’s security team describe the following as a "potential mitigation" to the issue with Comet:
The browser should clearly separate the user’s instructions from the website’s contents when sending them as context to the model. The contents of the page should always be treated as untrusted.
If only it were that easy! This is the core problem at the heart of prompt injection which we’ve been talking about for nearly three years – to an LLM the trusted instructions and untrusted content are concatenated together into the same stream of tokens, and to date (despite many attempts) nobody has demonstrated a convincing and effective way of distinguishing between the two.
There’s an element of "those in glass houses shouldn’t throw stones here" – I strongly expect that the entire concept of an agentic browser extension is fatally flawed and cannot be built safely.
One piece of good news: this Hacker News conversation about this issue was almost entirely populated by people who already understand how serious this issue is and why the proposed solutions were unlikely to work. That’s new: I’m used to seeing people misjudge and underestimate the severity of this problem, but it looks like the tide is finally turning there.
Tags: browsers, security, ai, prompt-injection, generative-ai, llms, perplexity, ai-agents
AI Summary and Description: Yes
Summary: The text discusses vulnerabilities in the Comet “agentic browser” extension from Perplexity, highlighting security flaws related to indirect prompt injection attacks. It underscores the challenges of distinguishing between trusted user inputs and untrusted webpage content, a core issue in LLM security. Brave’s own initiative to develop similar technology is spotlighted, indicating broader implications in AI security.
Detailed Description:
The analysis by Brave’s security team reveals significant vulnerabilities in the Comet agentic browser extension, specifically concerning how it processes content when users request summaries of web pages. The primary concern involves indirect prompt injection attacks, which can potentially lead to unauthorized access and actions on user’s private data.
Key points include:
– **Vulnerability Description**:
– Comet processes user requests by sending webpage content directly to LLMs without adequate filtration between user instructions and untrusted content.
– This allows attackers to insert malicious payloads through web content that may execute commands, such as accessing users’ emails.
– **Illustrative Example**:
– If a user requests a summary from a malicious Reddit thread, the system could be tricked into executing harmful commands that compromise the user’s personal data across tabs.
– **Mitigation Attempts**:
– Perplexity has sought to implement fixes to address these vulnerabilities, but reports suggest these efforts have been ineffective as the core issues persist.
– Brave proposes that any future agentic browser features should clearly differentiate between trusted user instructions and the untrusted content of web pages to mitigate risks.
– **Challenges in LLM Security**:
– The ongoing debate highlights that because LLMs treat inputs as a single stream of tokens, successfully distinguishing between trusted and untrusted information remains an unresolved challenge.
– The text points out that, despite many attempts, a convincing and effective solution has yet to be demonstrated.
– **Broader Implications**:
– The author expresses skepticism about the feasibility of securely developing agentic browsers, implying an inherent flaw within the concept itself.
– However, a positive note is struck regarding the growing understanding of the severity of these issues within the tech community, suggesting an increased awareness and thoughtful discourse about LLM vulnerabilities.
In conclusion, this text is pivotal for professionals in AI and security fields. It elucidates the pressing challenges of prompt injection vulnerabilities in LLM applications and the necessity for robust security practices as development in agentic technologies progresses.