Perplexity's Comet or another AI browser can give away credit card information while processing a web page, — Brave research

The developers of the Brave browser have shown how hidden text on a page can be used to make Perplexity’s Comet AI a similar browser perform any actions.

The artificial intelligence integrated into the browser can make it more than just a simple web browser. For example, it can check email, buy tickets, etc., and it has the appropriate rights to do so. Researchers demonstrated, that the Comet AI was unable to distinguish between a hidden malicious text query on a page and a user manual. Even a comment under the content of a perfectly safe page can hack an AI browser.

How it works

The attack is called indirect query injection. The text in an external source is deliberately passed off as a user manual.

1. The attacker embeds malicious instructions into network resources in one way or another. They hide instructions in white text on a white background, invisible HTML code comments, etc.
2. The user goes to this webpage and uses an AI assistant function, such as «Summarize this page» or asks the AI to process the page in another way.
3. When processing content, artificial intelligence sees hidden malicious instructions. Unable to distinguish between the content it is supposed to summarize and the instructions, it perceives everything as user requests.
4. The entered commands instruct AI to use browser tools in favor of the attacker. For example, to log in to the user’s bank website, find saved passwords, or display certain confidential information.

The researchers gave a practical example of an attack in Comet browser. It can be implemented by look at in a video on Vimeo. A user visits a Reddit post with a comment that contains instructions for entering a code hidden behind a spoiler tag. They click the «Summarize this page» button in Comet. The Comet AI assistant sees and processes these hidden instructions, which in a few steps lead to the hijacking of the Perplexity account with a one-time login code.

Brave has developed simple guidelines for browser agent developers to prevent such attacks. The browser should distinguish between user instructions and website content, the model should independently check the consistency of tasks with the user, and the browser should isolate agent browsing from normal browsing.

In conclusion, the developers point out the fundamental problem of agent browsers with artificial intelligence: the agent should perform only those actions that meet the user’s wishes. As AI assistants become more and more powerful, indirect query injection attacks pose serious risks.