Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers

This is the second post in a series about security and privacy challenges in agentic browsers. This vulnerability research was conducted by Artem Chaikin (Senior Mobile Security Engineer), and was written by Artem and Shivan Kaul Sahib (VP, Privacy and Security).

Building on our previous disclosure of the Perplexity Comet vulnerability, we’ve continued our security research across the agentic browser landscape. What we’ve found confirms our initial concerns: indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers. This post examines additional attack vectors we’ve identified and tested across different implementations.

On request, we are withholding one additional vulnerability found in another browser for now. We plan on providing more details next week.

As we’ve written before, AI-powered browsers that can take actions on your behalf are powerful yet extremely risky. If you’re signed into sensitive accounts like your bank or your email provider in your browser, simply summarizing a Reddit post could result in an attacker being able to steal money or your private data.

As always, we responsibly reported these issues to the various companies listed below so the vulnerabilities could be addressed. As we’ve previously said, a safer Web is good for everyone. The thoughtful commentary and debate about secure agentic AI that was raised by our previous blog post in this series motivated our decision to continue researching and publicizing our findings.

Prompt injection via screenshots in Perplexity Comet

Perplexity’s Comet assistant lets users take screenshots on websites and ask questions about those images. These screenshots can be used as yet another way to inject prompts that bypass traditional text-based input sanitization. Malicious instructions embedded as nearly-invisible text within the image are processed as commands rather than (untrusted) content.

How the attack works:

• Setup: An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user.
• Trigger: User-initiated screenshot capture of a page containing camouflaged malicious text.
• Injection: Text recognition extracts text that’s imperceptible to human users (possibly via OCR though we can’t tell for sure since the Comet browser is not open-source). This extracted text is then passed to the LLM without distinguishing it from the user’s query.
• Exploit: The injected commands instruct the AI to use its browser tools maliciously.

Attack demonstration:

Prompt injection via website navigation in Fellou browser

While Fellou browser demonstrated some resistance to hidden instruction attacks, it still treats visible webpage content as trusted input to its LLM. Surprisingly, we found that simply asking the browser to go to a website causes the browser to send the website’s content to their LLM.

How the attack works:

• Setup: An attacker embeds malicious visible instructions on their website.
• Trigger: User simply asks the AI assistant to navigate to the attacker’s webpage (explicit user-triggered summarization not required).
• Injection: The browser passes both the user’s query and the visible page content to the LLM in a way that allows the webpage text to override or modify the user’s intent.
• Exploit: The injected commands instruct the AI to use its browser tools maliciously.

Attack demonstration:

Disclosure timeline

Perplexity:

• October 1, 2025: Prompt injection via screenshots issue discovered and reported to Perplexity.
• October 2, 2025: Public disclosure notice sent to Perplexity.
• October 20, 2025: Public disclosure of vulnerability details.

Fellou:

• August 20, 2025: Prompt injection via website navigation issue discovered and reported to Fellou.
• October 20, 2025: Public disclosure of vulnerability details.

Impact and implications

As noted in our previous blog post, long-standing Web security assumptions break when AI agents act on behalf of users. Agentic browser assistants can be prompt-injected by untrusted webpage content, rendering protections such as the same-origin policy irrelevant because the assistant executes with the user’s authenticated privileges. This lets simple natural-language instructions on websites (or even just a Reddit comment) trigger cross-domain actions that reach banks, healthcare provider sites, corporate systems, email hosts, and cloud storage.

A consistent theme in agentic browsing vulnerabilities

Readers will note that each of these attacks look similar. Fundamentally, they boil down to a failure to maintain clear boundaries between trusted user input and untrusted Web content when constructing LLM prompts while allowing the browser to take powerful actions on behalf of the user.

We recognize that this is a hard problem, and we have some longer-term ideas that we’re exploring in collaboration with our research and security teams to address such problems. But until we have categorical safety improvements (i.e., across the browser landscape), agentic browsing will be inherently dangerous and should be treated as such. In the meantime, browsers should isolate agentic browsing from regular browsing and initiate agentic browsing actions (opening websites, reading emails, etc.) only when the user explicitly invokes them.

In the next blog post in this series, we will talk through Brave’s plans for more securely bringing agentic browsing to our 100 million+ users.