CometJacking: When “One Click” Turns Your AI Browser Into an Attack Vector
- alyssa1188
- 1 day ago
- 3 min read
In the ever-evolving world of cybersecurity, the frontier has shifted. It’s no longer just emails and attachments — now the AI assistants you trust might become the weak link. That’s the startling conclusion from a new report by LayerX, which reveals how a malicious URL can hijack Perplexity’s Comet AI browser and quietly exfiltrate your sensitive data.
If your company allows AI browsers to connect with Gmail, Calendar, or other tools — or is exploring AI-augmented workflows — this is urgent reading.
The Anatomy of “CometJacking”
A single, seemingly benign URL—no malicious web page, no phishing form—is enough to instruct Comet to access user data (emails, calendar items, memory) and send it off to an attacker.
How the attack works (step by step):
The bait link. An attacker sends or embeds a specially crafted URL (in email, extension, or website).
Hidden commands. The URL includes query parameters that Comet’s AI interprets as instructions (e.g. “collect memory, encode, send”).
Memory & connectors. Comet consults its memory or connected services (Gmail, Calendar, etc.) rather than only live page content.
Disguise via encoding. The instructions can include encoding (for example, base64) to mask the data from standard exfiltration checks.
Data exfiltration. The AI is directed to POST the encoded data to an attacker-controlled endpoint.
In their proof-of-concept tests, LayerX was able to harvest users’ email content and calendar entries using this vector.
Perplexity attempted to respond to responsible disclosure but reportedly marked the issue as “Not Applicable.”
Why This Changes the Threat Landscape
No credentials needed. Unlike classic phishing, this doesn’t require tricking the user into typing passwords. The AI has the privileges already.
Browser as insider. Your AI browser becomes an attack surface, not just a display tool.
Encoded evasion. Even data protection mechanisms can be bypassed if the attacker encodes the content.
Enterprise risk multiplyer In an organizational context, one compromised user can lead to lateral movement, impersonation, or data leaks via AI agent channels.
LayerX frames this as a “fundamental shift in the browser attack surface.”
What Your Organization Must Do Now
Given this evolving risk, here are the critical steps your IT/security team should take immediately:
Action | Why It Helps | Suggested Measures |
Audit AI browser usage | Determine who has connectors enabled | Identify users or departments using Comet (or other AI browsers) with Gmail, Calendar, etc. |
Restrict or disable risky connectors | Reduce the attack surface | Block or require explicit approvals for Gmail/Calendar access from AI browsers |
Add AI-agent monitoring and DLP coverage | Catch anomalous behavior | Update DLP/EDR tools to flag encoded outbound requests, unexpected POSTs, or suspicious agent activity |
Simulate URL attacks / red-team testing | Find gaps before attackers do | Use internal pen tests or engage partners to try prompt injection via URLs |
Train users & raise awareness | The chain starts with a click | Educate employees: don’t click weird links, especially from unknown sources |
Incident response planning | Be ready when/if someone is attacked | Log memory-access events, isolate compromised accounts, forensic review |
These are good first lines of defense. But to effectively lock down, you’ll want professional guidance tailored to your systems, APIs, and threat model.
Conclusion
The CometJacking discovery by LayerX is a wake-up call. AI browsers that interface with powerful services (email, calendar, file stores) present a unique risk: the AI itself can be co-opted. Traditional security controls — antivirus, firewall, password policies — aren’t enough.
You need a forward-looking defense: monitoring agent behavior, controlling connectors, simulating exploits, and building governance around how AI tools interact with your infrastructure.
If your organization is leveraging AI assistants or investigating AI browser deployments, don’t leave the door open. Contact Plexus IT today for a security evaluation, and let us help you stay one step ahead of attacker innovations.
Comments