Trail of Bits — Comet prompt-injection audit

AI relevance: Comet’s browser agent can read authenticated sessions and control navigation, so prompt injection in web content becomes a direct data-exfiltration path for AI browsing tools.

• Trail of Bits audited Perplexity’s Comet browser and demonstrated four prompt-injection techniques that could coerce the AI assistant.
• Each technique was shown to exfiltrate Gmail contents when the user asked the agent to summarize an attacker-controlled page.
• Exploit patterns included fake security mechanisms (CAPTCHA/validators), fake system instructions, and fake user requests.
• One attack chained “content fragments” so the agent fetched multiple URLs and then leaked email content via URL parameters to an attacker endpoint.
• The work was guided by a ML-centered threat model (TRAIL) that mapped tool-enabled data paths between local browser data and cloud services.
• Perplexity says the findings informed Comet’s security controls before launch.

Why it matters

• AI browser agents turn untrusted web pages into actionable instructions, so classic prompt injection becomes an account compromise vector.
• Attackers don’t need code execution; they can trick the agent to move data it already has access to.
• Threat modeling at the tool boundary is essential because the agent’s capabilities, not the model alone, define risk.

What to do

• Separate trust zones: enforce clear boundaries between external content and system/tool instructions.
• Reduce privileges: limit AI assistants from reading sensitive apps unless explicitly required.
• Red-team prompts: test your agent with multi-step injection chains, not just single-turn prompts.
• Instrument controls: log and gate tool calls that access authenticated sessions.

Sources

• Trail of Bits: Using threat modeling and prompt injection to audit Comet
• Perplexity: How we built security into Comet
• arXiv: Securing AI browser agents against prompt injection