Manipulating Perplexity Comet AI via Reasoning-Based Phishing

Vulnerability in Autonomous Agentic Reasoning

Recent research from Guardio Labs highlights a significant security boundary failure in agentic web browsers, specifically targeting Perplexity’s Comet AI. According to The Hacker News, researchers were able to trick the browser into falling for a Phishing scam in under four minutes. This attack vector exploits the foundational design of agentic AI, which utilizes Large Language Models (LLMs) to reason through user requests and autonomously interact with multiple web interfaces.

The vulnerability is not a traditional software bug but rather a failure in the logical guardrails that govern how the AI interprets the instructions it finds on a website. By crafting a website with specific instructions meant for the AI agent rather than the human user, an attacker can hijack the agent’s “reasoning” loop. This leads the AI to believe that executing a malicious action—such as entering credentials into a fake form or redirecting the user—is a legitimate step toward fulfilling the user’s original request.

Technical Analysis: The Reasoning Attack Vector

Agentic browsers like Comet AI function by breaking down a high-level user prompt into a series of actionable steps. This process involves analyzing the Document Object Model (DOM) of a webpage, determining the function of various elements, and deciding on the next click or text entry. The researchers demonstrated that by manipulating the content the AI reads, they could induce a state of logical drift.

During this drift, the AI’s internal security checks are bypassed because the malicious instructions are interpreted as contextual data relevant to the task. For example, if a user asks the browser to “find the best price for a subscription,” a malicious site can provide the AI with a fake “checkout” flow that the browser identifies as the correct path. Because the agent has permission to act on the user’s behalf, it may auto-fill sensitive information or navigate to a C2 controlled domain without additional verification. This evolution of TTP shifts the focus from deceiving human psychology to deceiving machine logic.

How to Detect Comet AI Browser Exploits

Detecting exploitation in agentic environments requires a shift in monitoring strategy. Traditional EDR solutions may not flag the browser’s activity as malicious because the browser process itself is legitimate and signed. To effectively identify these threats, SOC teams must monitor for unusual browser behavior patterns, such as rapid-fire form submissions across multiple unrelated domains or unexpected navigation to known malicious infrastructure immediately following an AI-driven search.

Integrating SIEM logs with browser telemetry can help identify when an agentic session deviates from expected user intent. Furthermore, analyzing the specific prompts handled by the AI can reveal attempts at prompt injection aimed at steering the agent toward unauthorized actions.

Perplexity Comet AI Phishing Risks and Impact

The primary risk associated with Perplexity Comet AI phishing risks is the erosion of the “human-in-the-loop” security model. When users delegate their browsing to an agent, they often do so with the expectation that the agent serves as a filter against threats. However, this research proves that the agent can become a conduit for the threat instead.

If an agentic browser is compromised, the potential for data exfiltration is high. Since these browsers often have access to the user’s cookies, saved passwords, and active sessions to perform tasks, a successfully manipulated agent could perform Lateral Movement across the user’s web-based applications. This could result in a Data Breach where the attacker gains access to corporate SaaS platforms without ever needing to bypass multi-factor authentication directly.

Protecting Agentic AI Browsers from Manipulation

Mitigating these risks requires a multi-layered approach to AI safety. Developers of agentic systems must implement out-of-band verification for high-risk actions. This means that any action involving financial transactions, credential entry, or sensitive data transfer must trigger a mandatory human approval step that cannot be bypassed by the AI’s reasoning engine.

Furthermore, organizations should consider the following recommendations:

• Sandbox Agentic Sessions: Isolate agentic browser sessions from the primary work environment to prevent the AI from accessing sensitive corporate cookies or local storage.
• Content Security Policies: Implement strict policies that limit the types of scripts and interactions an AI agent can execute on untrusted third-party domains.
• Reasoning Audits: Regularly audit the “thought logs” of AI agents to identify patterns where the model was successfully diverted by adversarial web content.

As agentic AI becomes more integrated into daily workflows, the industry must move toward a Zero Trust architecture for autonomous agents, ensuring that no action is taken without explicit, verified intent.