CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CometJacking attack exploits Comet browser to steal emails

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A new attack called CometJacking exploits URL parameters to pass hidden instructions to Perplexity's Comet AI browser, allowing access to sensitive data from connected services like email and calendar. The attack does not require credentials or user interaction and bypasses Perplexity's data protections using Base64-encoding tricks. Comet is an agentic AI browser that can autonomously browse the web and manage tasks such as emails, shopping, and booking tickets. Despite known security gaps, its adoption is increasing. The CometJacking attack was discovered by LayerX researchers, who reported it to Perplexity in late August. Perplexity responded that it did not identify an issue, marking the report as 'not applicable.' The attack involves a five-step process where the URL instructs the Comet browser's AI to execute a hidden prompt, highlighting new security risks introduced by AI-native tools.

Timeline

  1. 03.10.2025 17:01 2 articles · 8d ago

    LayerX researchers discover CometJacking attack in Comet AI browser

    LayerX researchers discovered the CometJacking attack in late August 2025 and reported it to Perplexity. The attack exploits URL parameters to pass hidden instructions to the Comet AI browser, allowing access to sensitive data from connected services. The attack is executed through a malicious link that triggers unexpected behavior when clicked. It bypasses Perplexity's data protections using Base64-encoding tricks and involves a five-step process where the URL instructs the Comet browser's AI to execute a hidden prompt. Perplexity's security team rejected the reports, stating that the attack does not lead to any security impact.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ShadowLeak: Undetectable Email Theft via AI Agents

A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.

Open in new tab

Modern web browsers as primary attack surface in enterprise infrastructure

Modern web browsers have become critical components of enterprise infrastructure, but also a primary attack surface for identity-based intrusions, SaaS abuse, and session hijacking. On September 29th at 12:00 PM ET, a webinar will be held to discuss the evolving threat landscape targeting corporate browsers and how attackers compromise accounts, steal data, and bypass traditional defenses. The webinar will focus on real-time detection and response platforms to mitigate these risks. The webinar, titled "Your Browser Is the Breach: Securing the Modern Web Edge", will be co-hosted by BleepingComputer and SC Media, with experts from Push Security. The event aims to educate security professionals on the tactics used by attackers, such as malicious extensions, session token theft, and OAuth abuse, and provide strategies to detect and defend against these threats.

Open in new tab

Increased Browser-Based Attacks Targeting Business Applications

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Open in new tab

AI Browsers Vulnerable to PromptFix Exploit for Malicious Prompts

AI-driven browsers are vulnerable to a new prompt injection technique called PromptFix, which tricks them into executing malicious actions. The exploit embeds harmful instructions within fake CAPTCHA checks on web pages, leading AI browsers to interact with phishing sites or fraudulent storefronts without user intervention. This vulnerability affects AI browsers like Perplexity's Comet, which can be manipulated into performing actions such as purchasing items on fake websites or entering credentials on phishing pages. The technique leverages the AI's design goal of assisting users quickly and without hesitation, leading to a new form of scam called Scamlexity. This involves AI systems autonomously pursuing goals and making decisions with minimal human supervision, increasing the complexity and invisibility of scams. The exploit can be triggered by simple instructions, such as 'Buy me an Apple Watch,' leading the AI browser to add items to carts and auto-fill sensitive information on fake sites. Similarly, AI browsers can be tricked into parsing spam emails and entering credentials on phony login pages, creating a seamless trust chain for attackers. Guardio's tests revealed that agentic AI browsers are vulnerable to phishing, prompt injection, and purchasing from fake shops. Comet was directed to a fake shop and completed a purchase without human confirmation. Comet also treated a fake Wells Fargo email as genuine and entered credentials on a phishing page. Additionally, Comet interpreted hidden instructions in a fake CAPTCHA page, triggering a malicious file download. AI firms are integrating AI functionality into browsers, allowing software agents to automate workflows, but enterprise security teams need to balance automation's benefits with the risks posed by the fact that artificial intelligence lacks security awareness. Security has largely been put on the back burner, and AI browser agents from major AI firms failed to reliably detect the signs of a phishing site. Nearly all companies plan to expand their use of AI agents in the next year, but most are not prepared for the new risks posed by AI agents in a business environment. Until the security aspect of agentic AI browsers reaches a certain level of maturity, it is advisable to avoid assigning sensitive tasks to them and to manually input sensitive data when needed.

Open in new tab

Advanced RATs exploit architectural blind spots and native tools to evade detection

New Remote Access Trojans (RATs) like StilachiRAT and SnowDog RAT are using corrupted DOS and PE headers to evade detection in enterprise environments. Attackers are leveraging simple Windows batch files and PowerShell to launch sophisticated payloads, exploiting the implicit trust in native system tools. These RATs maintain persistent access, allowing data exfiltration without triggering alerts. Fragmented security architectures and reliance on perimeter defenses contribute to the success of these attacks. Attackers are increasingly using AI and large language models (LLMs) to generate phishing lures, craft social engineering schemes, and automate attack campaigns. This trend lowers the barrier to entry for less skilled cybercriminals, accelerating the development of more evasive and resilient threats.

Open in new tab