Researchers Trick Perplexity’s Comet AI Browser into Phishing Scam in Under Four Minutes
Agent web browsers that leverage artificial intelligence (AI) capabilities to automate actions across websites on behalf of the user can be trained and tricked into becoming victims of phishing and scams.
This attack, at its core, takes advantage of the tendency of AI browsers to think about their actions and use it against the model itself to lower their defenses, said Guardio in a report shared with The Hacker News before publication.
“AI now works in real-time, inside messy and dynamic pages, while continuously asking for information, making decisions, and narrating its actions along the way. Yes, ‘narrative’ is quite an understatement – It’s ironic, and it’s huge!,” said security researcher Shaked Chen.
“This is what we call it Agentic Blabbering: The AI browser reveals what it sees, what it believes is happening, what it plans to do next, and what signals it considers suspicious or safe.”
By intercepting this traffic between the browser and the AI services running on the vendor’s servers and playing the input to a Generative Adversarial Network (GAN), Guardio said it was able to make Perplexity’s Comet AI browser a phishing victim in less than four minutes.
The research builds on previous techniques such as VibeScamming and Scamlexity, which found that vibe-coding platforms and AI browsers can be tricked into generating scam pages or performing malicious actions with quick hidden injections. In other words, with an AI agent that handles tasks without constant human supervision, a change in the attack surface occurs where the scammer no longer needs to trick the user. Instead, it aims to manipulate the AI model itself.
“If you can see what the agent is flagging as suspicious, suspicious, and more importantly, what they’re thinking and saying about the page, you can use that as a training signal,” Chen explained. “The scam only occurs until the AI Browser reliably walks into a trap another AI has set for it.”
The idea, in short, is to build a “fraud machine” that repeatedly updates and reproduces the phishing page until the agent’s browser stops complaining and continues to execute the threat actor’s request, such as entering the victim’s information on a fake web page designed to carry out a refund scam.
What makes this attack interesting and dangerous is that if the fraudster replicates the web page until it works against a particular AI browser, it works for all users who rely on the same agent. Put differently, the target is from the human user to the AI browser.
“This reveals the bleak future we are facing: scams will not only be launched and fixed in the wild, they will be trained offline, against the million models we rely on, until they work flawlessly when they first interact with them,” said Guardio. “Because if your AI Browser explains why it’s stopped, it teaches attackers how to bypass it.”
This disclosure comes as Trail of Bits demonstrated four quick injection methods against the Comet browser to extract users’ private information from services such as Gmail by using the browser’s AI assistant and revealing data to the attacker’s server when the user requests to digest a web page controlled by him.
Last week, Zenity Labs also described two zero-click attacks affecting Perplexity’s Comet that use a quick injection seeded inside meeting invitations to extract local files from an external server (aka PerplexedComet) or hack a user’s 1Password account if the password manager extension is installed and enabled. The problems, coded in PerplexedBrowser, have been solved by an AI company.
This is accomplished through a rapid injection method called intent collision, which occurs “when an agent combines a humanized user request with an attacker-controlled command from untrusted web data into a single execution program, without a reliable way to distinguish between the two,” said security researcher Stav Cohen.
Rapid injection attacks remain a significant challenge to protect against large-scale language models (LLMs) and integrate them into an organization’s workflow, especially because completely eliminating this vulnerability may not be possible. In December 2025, OpenAI noted that such vulnerabilities are “impossible to remediate” in agent browsers, although the associated vulnerability can be mitigated through automated attack detection, adversary training, and new system-level defenses.
