Perplexity’s Comet browser can be turned into a silent data thief with a single click, researchers say. Security team LayerX today published a proof-of-concept they call “CometJacking,” showing how a weaponized URL can inject instructions into the agentic Comet browser and make it pull data from connected services, Gmail, Calendar and other connectors, then exfiltrate the results to an attacker.
The exploit is striking for its simplicity. Instead of stealing passwords or exploiting a rendering bug, the crafted link abuses Comet’s query parsing and the collection parameter to force the assistant to read from its memory and connectors. LayerX’s PoC instructed the agent to Base64-encode emails and calendar entries and POST them to an external endpoint; the browser dutifully complied, allowing sensitive information to leave the device without any credential theft.
Perplexity’s security team has, so far, marked the report “not applicable,” saying it could not identify a direct security impact. LayerX and other observers dispute that assessment, arguing platform checks that only look for clear-text exfiltration are easily bypassed by simple transformations like encoding. The disagreement highlights a broader problem as AI-native browsers gain capability and access: the assistant itself becomes a potential insider.
The implications are material for enterprises. An attacker only needs to get a URL in front of a target, via phishing or a compromised page, and the agent’s authorized access to third-party services does the rest. LayerX urges organizations to inventory AI browsers on endpoints, restrict connector scopes, sanitize prompt inputs, and extend DLP controls to detect encoded payloads and suspicious POSTs.
Whether CometJacking is being abused in the wild is unknown. But the disclosure is a reminder that convenience-first AI features introduce new attack surfaces; defenders must rethink assumptions about what a “browser” can and shouldn’t do as agentic tools proliferate.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
