{"id":236,"date":"2026-03-11T18:14:45","date_gmt":"2026-03-11T18:14:45","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=236"},"modified":"2026-03-11T18:14:45","modified_gmt":"2026-03-11T18:14:45","slug":"researchers-trick-perplexitys-comet-ai-browser-into-phishing-scam-in-under-four-minutes","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=236","title":{"rendered":"Researchers Trick Perplexity’s Comet AI Browser Into Phishing Scam in Under Four Minutes"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 11, 2026<\/span><\/span>Artificial Intelligence \/ Browser Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps.<\/p>\n

The attack, at its core, takes advantage of AI browsers’ tendency to reason their actions and use it against the model itself to lower their security guardrails, Guardio said<\/a> in a report shared with The Hacker News ahead of publication.<\/p>\n

\u00abThe AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way. Well, ‘narrating’ is quite an understatement – It blabbers, and way too much!,\u00bb security researcher Shaked Chen said.<\/p>\n

\u00abThis is what we call Agentic Blabbering<\/strong>: the AI Browser exposing what it sees, what it believes is happening, what it plans to do next, and what signals it considers suspicious or safe.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

By intercepting this traffic between the browser and the AI services running on the vendor’s servers and feeding it as input to a Generative Adversarial Network (GAN<\/a>), Guardio said it was able to make Perplexity’s Comet AI browser fall victim to a phishing scam in under four minutes.<\/p>\n

The research builds on prior techniques like VibeScamming and Scamlexity, which found that vibe-coding platforms and AI browsers could be coaxed into generating scam pages or carrying out malicious actions via hidden prompt injections. In other words, with the AI agent handling the tasks without constant human supervision, there arises a shift in the attack surface wherein a scam no longer has to deceive a user. Rather, it aims to trick the AI model itself.<\/p>\n

\u00abIf you can observe what the agent flags as suspicious, hesitates on, and more importantly, what it thinks and blabbers about the page, you can use that as a training signal,\u00bb Chen explained. \u00abThe scam evolves until the AI Browser reliably walks into the trap another AI set for it.\u00bb<\/p>\n

\"\"<\/a><\/div>\n

The idea, in a nutshell, is to build a \u00abscamming machine\u00bb that iteratively optimizes and regenerates a phishing page until the agentic browser stops complaining and proceeds to carry out the threat actor’s bidding, such as entering a victim’s credentials on a bogus web page designed for carrying out a refund scam.<\/p>\n

What makes this attack interesting and dangerous is that once the fraudster iterates on a web page until it works against a specific AI browser, it works on all users who rely on the same agent. Put differently, the target has shifted from the human user to the AI browser.<\/p>\n

\u00abThis reveals the unfortunate near future we are facing: scams will not just be launched and adjusted in the wild, they will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact,\u00bb Guardio said. \u00abBecause when your AI Browser explains why it stopped, it teaches attackers how to bypass it.\u00bb<\/p>\n

The disclosure comes as Trail of Bits demonstrated<\/a> four prompt injection techniques<\/a> against the Comet browser to extract users’ private information from services like Gmail by exploiting the browser’s AI assistant and exfiltrating the data to an attacker\u2019s server when the user asks to summarize a web page under their control.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Last week, Zenity Labs also detailed two zero-click attacks affecting Perplexity’s Comet that use indirect prompt injection seeded within meeting invites to exfiltrate local files to an external server (aka PerplexedComet<\/a>) or hijack a user’s 1Password account<\/a> if the password manager extension<\/a> is installed and unlocked. The issues, collectively codenamed PerplexedBrowser, have since been addressed by the AI company.<\/p>\n

This is achieved by means of a prompt injection technique referred to as intent collision, which occurs \u00abwhen the agent merges a benign user request with attacker-controlled instructions from untrusted web data into a single execution plan, without a reliable way to distinguish between the two,\u00bb security researcher Stav Cohen said.<\/p>\n

Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and for integrating them into organizational workflows, largely because completely eliminating these vulnerabilities may not be feasible. In December 2025, OpenAI noted that such weaknesses are \u00abunlikely to ever\u00bb be fully resolved in agentic browsers, although the associated risks could be reduced through automated attack discovery, adversarial training, and new system-level safeguards.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Mar 11, 2026Artificial Intelligence \/ Browser Security Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could…<\/p>\n","protected":false},"author":1,"featured_media":237,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[265,608,609,607,390,605,595,606],"class_list":["post-236","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-browser","tag-comet","tag-minutes","tag-perplexitys","tag-phishing","tag-researchers","tag-scam","tag-trick"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=236"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/236\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/237"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}