Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes - The Hacker News

Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Ravie LakshmananMar 11, 2026Artificial Intelligence / Browser Security Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps. The attack, at its core, takes advantage of AI browsers' tendency to reason their actions and use it against the model itself to lower their security guardrails, Guardio said in a report shared with The Hacker News ahead of publication. "The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way. Well, 'narrating' is quite an understatement - It blabbers, and way too much!," security researcher Shaked Chen said. "This is what we call Agentic Blabbering: the AI Browser exposing what it sees, what it believes is happening, what it plans to do next, and what signals it considers suspicious or safe." By intercepting this traffic between the browser and the AI services running on the vendor's servers and feeding it as input to a Generative Adversarial Network (GAN), Guardio said it was able to make Perplexity's Comet AI browser fall victim to a phishing scam in under four minutes. The research builds on prior techniques like VibeScamming and Scamlexity, which found that vibe-coding platforms and AI browsers could be coaxed into generating scam pages or carrying out malicious actions via hidden prompt injections. In other words, with the AI agent handling the tasks without constant human supervision, there arises a shift in the attack surface wherein a scam no longer has to deceive a user. Rather, it aims to trick the AI model itself. "If you can observe what the agent flags as suspicious, hesitates on, and more importantly, what it thinks and blabbers about the page, you can use that as a training signal," Chen explained. "The scam evolves until the AI Browser reliably walks into the trap another AI set for it." The idea, in a nutshell, is to build a "scamming machine" that iteratively optimizes and regenerates a phishing page until the agentic browser stops complaining and proceeds to carry out the threat actor's bidding, such as entering a victim's credentials on a bogus web page designed for carrying out a refund scam. What makes this attack interesting and dangerous is that once the fraudster iterates on a web page until it works against a specific AI browser, it works on all users who rely on the same agent. Put differently, the target has shifted from the human user to the AI browser. "This reveals the unfortunate near future we are facing: scams will not just be launched and adjusted in the wild, they will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact," Guardio said. "Because when your AI Browser explains why it stopped, it teaches attackers how to bypass it." The disclosure comes as Trail of Bits demonstrated four prompt injection techniques against the Comet browser to extract users' private information from services like Gmail by exploiting the browser's AI assistant and exfiltrating the data to an attacker’s server when the user asks to summarize a web page under their control. Last week, Zenity Labs also detailed two zero-click attacks affecting Perplexity's Comet that use indirect prompt injection seeded within meeting invites to exfiltrate local files to an external server (aka PerplexedComet) or hijack a user's 1Password account if the password manager extension is installed and unlocked. The issues, collectively codenamed PerplexedBrowser, have since been addressed by the AI company. This is achieved by means of a prompt injection technique referred to as intent collision, which occurs "when the agent merges a benign user request with attacker-controlled instructions from untrusted web data into a single execution plan, without a reliable way to distinguish between the two," security researcher Stav Cohen said. Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and for integrating them into organizational workflows, largely because completely eliminating these vulnerabilities may not be feasible. In December 2025, OpenAI noted that such weaknesses are "unlikely to ever" be fully resolved in agentic browsers, although the associated risks could be reduced through automated attack discovery, adversarial training, and new system-level safeguards. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, browser security, cybersecurity, data exfiltration, machine learning, Perplexity, Phishing, Prompt Injection, social engineering Trending News Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths