• Using threat modeling and prompt injection to audit Comet Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. • Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. • The vulnerabilities we found reflect how AI agents behave when external content isn’t treated as untrusted input. • We’ve distilled our findings into five recommendations that any team building AI-powered products should consider before deployment. • If you want to learn more about how Perplexity addressed these findings, please see their corresponding blog post and research paper on addressing prompt injection within AI browser agents. • Background Comet is a web browser that provides LLM-powered agentic browsing capabilities.

Article Summaries:

  • Using threat modeling and prompt injection to audit Comet Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when external content isn’t treated as untrusted input. We’ve distilled our findings into five recommendations that any team building AI-powered products shoul

Sources: