{"id":8375,"date":"2025-11-12T05:04:54","date_gmt":"2025-11-12T05:04:54","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/12\/prompt-injection-in-ai-browsers-html\/"},"modified":"2025-11-12T05:04:54","modified_gmt":"2025-11-12T05:04:54","slug":"prompt-injection-in-ai-browsers-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/12\/prompt-injection-in-ai-browsers-html\/","title":{"rendered":"Prompt Injection in AI Browsers"},"content":{"rendered":"\n<div>Prompt Injection in AI Browsers<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/commetjacking-attack-tricks-comet-browser-into-stealing-emails\/\">This<\/a> is why AIs are not ready to be personal assistants:<\/p>\n<blockquote>\n<p>A new attack called \u2018CometJacking\u2019 exploits URL parameters to pass to Perplexity\u2019s Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar.<\/p>\n<p>In a realistic scenario, no credentials or user interaction are required and a threat actor can leverage the attack by simply exposing a maliciously crafted URL to targeted users.<\/p>\n<p>[\u2026]<\/p>\n<p>CometJacking is a prompt-injection attack where the query string processed by the Comet AI browser contains malicious instructions added using the \u2018collection\u2019 parameter of the URL.<\/p>\n<p>LayerX researchers say that the prompt tells the agent to consult its memory and connected services instead of searching the web. As the AI tool is connected to various services, an attacker leveraging the CometJacking method could exfiltrate available data.<\/p>\n<p>In their tests, the connected services and accessible data include Google Calendar invites and Gmail messages and the malicious prompt included instructions to encode the sensitive data in base64 and then exfiltrate them to an external endpoint.<\/p>\n<p>According to the researchers, Comet followed the instructions and delivered the information to an external system controlled by the attacker, evading Perplexity\u2019s checks.<\/p>\n<\/blockquote>\n<p>I wrote <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/09\/indirect-prompt-injection-attacks-against-llm-assistants.html\">previously<\/a>:<\/p>\n<blockquote>\n<p>Prompt injection isn\u2019t just a minor security problem we need to deal with. It\u2019s a fundamental property of current LLM technology. The systems have <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2024\/05\/llms-data-control-path-insecurity.html\">no ability to separate trusted commands from untrusted data<\/a>, and there are an infinite number of prompt injection attacks with <a href=\"https:\/\/llm-attacks.org\/\">no way to block them<\/a> as a class. We need some new fundamental science of LLMs before we can solve this.<\/p>\n<\/blockquote>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/11\/prompt-injection-in-ai-browsers.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prompt Injection in AI Browsers This is why AIs are not ready to be personal assistants: A new attack called \u2018CometJacking\u2019 exploits URL parameters to pass to Perplexity\u2019s Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. In a realistic scenario, no credentials or user interaction [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[167,2026,57,267,268,1],"tags":[87],"class_list":["post-8375","post","type-post","status-publish","format-standard","hentry","category-ai","category-browsers","category-bruce-schneier","category-cyberattack","category-llm","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8375"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8375"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8375\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}