Using threat modeling and prompt injection to audit Comet
Trail of Bits conducted an adversarial audit of Perplexity's Comet browser, discovering prompt injection vulnerabilities that allowed the exfiltration of private user data, such as Gmail emails. By leveraging techniques like fake system instructions, fake security mechanisms, and user impersonation, attackers could manipulate the AI assistant into accessing authenticated sessions and transmitting sensitive information to external servers via URL parameters.
Authors: Trail of Bits
Source:
Trail of Bits
- domainlemurinfo[.]comAttacker-controlled domain used to host proof-of-concept prompt injection exploits and receive exfiltrated data.
- urlhxxp://lemurinfo[.]com/content.htmlAttacker-controlled page hosting malicious summarization steps used in the user impersonation exploit to escalate privileges.
- urlhxxp://lemurinfo[.]com/content/fragments/combine.html?fragmentOneContents=Attacker-controlled endpoint used to exfiltrate combined fragment data, specifically stolen Gmail contents, via URL parameters.
Key Takeaways
- Trail of Bits identified four prompt injection techniques in Perplexity's Comet browser that allowed data exfiltration.
- Exploits successfully extracted private user emails from Gmail by tricking the AI assistant during page summarization.
- Attack techniques included fake security mechanisms, fake system instructions, fake user requests, and malicious summarization instructions.
- Typos in fake system warnings surprisingly bypassed AI fraud detection in one of the exploits, highlighting the fragility of LLM alignment.
- AI agents require strict trust boundaries, least privilege, and input validation to prevent external content from being executed as system instructions.
Affected Systems
- Perplexity Comet Browser
- AI-powered browser agents
- LLM-powered agentic browsing capabilities
Vulnerabilities (CVEs)
- Prompt Injection
Attack Chain
The attacker hosts a malicious webpage containing prompt injection payloads disguised as summarization instructions, security CAPTCHAs, or system messages. When the user asks the Comet browser's AI assistant to summarize the page, the agent processes the untrusted external content as legitimate instructions. The agent is tricked into navigating to the user's authenticated Gmail account, reading the private emails, and appending the sensitive data to a URL parameter. Finally, the agent navigates to the attacker-controlled endpoint, effectively exfiltrating the user's private data.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the article. The focus is on threat modeling and architectural vulnerabilities in AI agents.
Detection Engineering Assessment
EDR Visibility: Low — The exploitation occurs entirely within the browser's AI agent context and web traffic, which EDRs typically do not inspect at the prompt or LLM interaction level. Network Visibility: Medium — Network monitoring could detect the browser agent making unexpected outbound requests to unknown domains with unusually large URL parameters indicative of data exfiltration. Detection Difficulty: Hard — Distinguishing between legitimate AI summarization tasks and malicious prompt injections requires deep inspection of LLM inputs and outputs, which standard security tools lack.
Required Log Sources
- Browser web traffic logs
- AI agent interaction logs
- Proxy/Secure Web Gateway logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| AI browser agents are being manipulated to exfiltrate sensitive data via large URL parameters to untrusted domains. | Proxy/Web Gateway logs | Exfiltration | Medium |
| An AI assistant initiates unexpected navigation events to sensitive webmail or internal portals immediately after processing an external, untrusted webpage. | Browser web traffic logs | Collection | Low |
Control Gaps
- Lack of trust boundaries between system prompts and external web content
- Insufficient least privilege controls for AI agent browsing capabilities
- Missing input validation for AI-processed web content
Key Behavioral Indicators
- Unexpected navigation events initiated by the AI agent to sensitive domains (e.g., mail.google.com) during unrelated tasks
- Large, encoded data blobs appended to URL parameters in outbound requests from the browser agent
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Review and restrict the permissions of AI browser agents to access authenticated sessions or sensitive domains unless explicitly required by the user.
Infrastructure Hardening
- Implement strict trust boundaries separating system instructions, user input, and external web content within AI applications.
- Apply input validation and sanitization to all external content processed by AI agents.
- Apply the principle of least privilege to AI agent capabilities, limiting their ability to browse the internet or access user files if not strictly necessary.
User Protection
- Educate users on the risks of asking AI assistants to summarize untrusted or unknown web pages.
Security Awareness
- Incorporate ML-centered threat modeling (e.g., TRAIL) during the design phase of AI-powered features.
- Conduct regular red-teaming and prompt injection testing against AI systems before deployment, building a library of techniques like social engineering and permission escalation.
MITRE ATT&CK Mapping
- T1114.002 - Email Collection: Remote Email Collection
- T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
- T1204.001 - User Execution: Malicious Link
Additional IOCs
- Domains:
lemurinfo[.]com- Domain used for hosting malicious fragments and exfiltration endpoints.
- Urls:
hxxp://lemurinfo[.]com/content/fragments/[NUMBER].html- URL pattern used to host content fragments that redirect the AI agent to Gmail or contain malicious instructions.