A study by Brave browser claims that screenshots captured by the AI assistant could contain malicious instructions.
Brave claims that attackers can get a free hold of the AI browser tools for malicious usage
Photo Credit: Perplexity
Perplexity's Comet browser and other artificial intelligence (AI)-powered browsers might be vulnerable to prompt injections, claimed a new study. This study, which was conducted by Brave, claims that they were able to embed malicious instructions into a website and share it with the AI assistant of the browser via screenshots. The study also demonstrates such an attack, which is said to allow hackers to control the AI's browser tools for malicious purposes. It is not known whether OpenAI's ChatGPT Atlas is also vulnerable to such techniques.
Prompt injections are not a new phenomenon. Ever since the arrival of AI chatbots that operate on the natural language interface, bad actors have been trying to find ways to generate harmful and misleading outputs by hiding malicious instructions in documents, images, and even plain text. These attacks rely on multi-layered instructions and long-chain commands to break the internal safeguards of AI systems.
In the latest study by Brave, which was conducted by the company's Senior Mobile Security Engineer, Artem Chaikin, explored whether the AI assistant of the Comet browser can be tricked into following such malicious instructions. However, delivering the message to the AI assistant is more difficult than a chatbot since the bad actor does not directly control the interface.
In the first experiment, malicious instructions were embedded in the web content using hidden text (these can be text written in background colours, zero-font text, text placed outside the margin, etc). While the user cannot see this text, the AI can process and analyse it. If the user takes a screenshot of the webpage to ask the assistant a query, Comet's text recognition extracts the instructions and automatically begins following them.
In the demonstration, the prompt injection successfully rerouted the webpage to the user's Gmail account and was able to extract sensitive emails and send them to the attacker.
While this is one plausible way to attack a user, it still relies on the victim taking a screenshot of the web page, which is not an efficient method. The researchers also demonstrated a far nefarious method which works whenever a user navigates to the target website.
Here, the researcher embedded malicious visible instructions on the website. But the text is added to the page in a way that most people would not take notice (in this case, it was added as prompt suggestions on an AI chatbot page). If the user asks the AI assistant to visit the website, the browser is said to process the malicious instructions, which are designed to override the user's query and instead start a chain of action. In this case, the instructions were able to take the browser to a social media page and follow the account.
In the study, Brave said that browsers with agentic capabilities can be prompt-injected by a random webpage's content, creating a high risk for users who share the passwords of different websites and even credit card information with the browser. These authenticated privileges are then used against the user.
“This lets simple natural-language instructions on websites (or even just a Reddit comment) trigger cross-domain actions that reach banks, healthcare provider sites, corporate systems, email hosts, and cloud storage,” stated the study.
Notably, Brave said that it had reported the prompt injection vulnerability to Perplexity on October 1 and shared a public disclosure notice the following day.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.