Comet URL prompt injection: what it means for browser identity risk

TL;DR: A crafted URL alone can trigger Perplexity’s Comet browser to read from memory, pull connector data such as Gmail and Calendar content, and exfiltrate it after trivial encoding, without credential theft or malicious page content, according to LayerX Security. That breaks the assumption that an authenticated assistant stays user-directed once a session begins, and it widens browser identity risk across NHI, agentic AI, and human programmes.

NHIMG editorial — based on content published by LayerX Security: LLMjacking and browser prompt injection analysis for Comet

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams stop agentic browsers from turning links into data exfiltration paths?

A: Security teams should separate link handling from assistant instruction processing, so a URL cannot directly trigger privileged model actions.

Q: Why do agentic browsers increase identity risk compared with normal web browsing?

A: Agentic browsers can hold memory, access connected services, and execute tasks on the user’s behalf, which makes them identity-bearing systems rather than passive interfaces.

Q: What breaks when exfiltration controls only look for plaintext sensitive data?

A: Controls that only inspect plaintext miss trivial transformations such as base64, chunking, or code-based reformatting.

Practitioner guidance

• Restrict assistant-triggering from untrusted URLs Block query-string content from being interpreted as instructions when the browser is handling external links.
• Limit connector scope after untrusted input Reduce the Gmail, Calendar, and file scopes available to the assistant during sessions that originated from external links.
• Detect transformed exfiltration paths Inspect generated output for intent and destination as well as literal sensitive fields.

What's in the full article

LayerX Security's full research covers the operational detail this post intentionally leaves for the source:

• The exact proof-of-concept URL structure used to steer Comet into memory-backed retrieval and exfiltration.
• The observed behaviours across email theft, calendar harvesting, and connector-access abuse in test scenarios.
• The discussion of how trivial encoding bypassed existing exfiltration checks in the browser workflow.
• The disclosure timeline and the vendor response under responsible disclosure conditions.

👉 Read LayerX Security's analysis of Comet URL prompt injection and browser data exfiltration →

Comet URL prompt injection: what it means for browser identity risk?

Explore further

View Full Forum →  |  NHI Foundation Course →