Artificial intelligence browsers promise to automate everyday web tasks, but Perplexity’s Comet has shown that convenience can come at a steep price. In a recent security incident, researchers proved that the AI would dutifully execute hidden commands found in ordinary blog posts—such as logging into an email account and sending a security code to a malicious address—without any warning or confirmation. This exploit demonstrates a fundamental weakness: the AI treats all textual input with the same level of trust, regardless of whether it originates from the user or a potentially hostile website.
Unlike traditional browsers, which act as passive viewers and enforce strict content isolation, AI browsers read, interpret, and act on web content. This gives attackers a powerful remote control: the AI can click links, fill forms, and switch tabs across sites, effectively turning a single malicious page into a gateway to the entire digital life of the user. Moreover, because the AI retains context across sessions, a single poisoned page can influence behavior on subsequent sites, and the lack of a spam filter or permission model means that malicious instructions can slip through unnoticed. The result is a system that is both too powerful and too trusting—an “intern” who cannot distinguish between a boss’s order and a stranger’s request.
Fixing this problem requires a paradigm shift in design. Developers must adopt a zero‑trust mindset, treating every web page as a potential threat and requiring explicit user approval before performing any high‑risk action such as accessing email or making purchases. Built‑in spam filters should scrutinize all incoming text for malicious patterns, and the AI’s input streams should be clearly separated—user commands, web content, and internal directives must not be conflated. Continuous monitoring and transparent logging will allow users to audit the assistant’s behavior, while user education on setting boundaries and recognizing suspicious actions can mitigate misuse. The Comet disaster is a warning that AI browsers must be engineered with security as a first‑class citizen, not an afterthought.
Want the full story?
Read on VentureBeat →