Our content generation service is experiencing issues. A human-curated summary is being prepared.

Business & Startups

Perplexity's BrowseSafe patches agent gaps after Brave finds Comet flaw

December 7, 2025 • 2 min read

Perplexity’s newest safety layer, BrowseSafe, arrived just as the AI‑browser community began to reckon with a glaring blind spot. The company has long touted its agents as “secure by design,” yet the underlying architecture still relied on a single‑prompt model that can be swayed by external content. While the concept sounds solid, real‑world testing exposed a crack.

Earlier this year, a separate security team flagged an anomaly in the Comet assistant that runs inside many browsers. Their findings showed that malicious actors could embed covert instructions in ordinary web pages or comment sections, then watch the assistant treat those snippets as legitimate user commands. This isn’t a theoretical concern; it translates into a direct pathway for hijacking user sessions, leaking data, or prompting unwanted actions.

The incident forced Perplexity to rethink its approach, prompting a rapid rollout of BrowseSafe patches aimed at filtering out such hidden prompts. The severity of the issue became clear in August 2025, when Brave discovered a security vulnerability in Comet. Using a technique known as indirect prompt injection, attackers hid commands in web pages or comments.

The AI assistant then misinterpreted these hidden commands as user instructions while

The severity of the issue became clear in August 2025, when Brave discovered a security vulnerability in Comet. Using a technique known as indirect prompt injection, attackers hid commands in web pages or comments. The AI assistant then misinterpreted these hidden commands as user instructions while summarizing content.

Brave showed that this method could be used to steal sensitive information, including email addresses and one-time passwords. Perplexity argues that existing benchmarks like AgentDojo are insufficient for these threats. They typically rely on simple prompts like "Ignore previous instructions," whereas real-world websites contain complex, chaotic content where attacks can be easily concealed.

Defining the scope of real-world attacks To address this, Perplexity built the BrowseSafe Bench around three specific dimensions.

Perplexity's BrowseSafe tries to patch the gaping security holes inherent in AI browser agents - THE DECODER

Related Topics: #Perplexity #BrowseSafe #Comet #Brave #indirect prompt injection #AgentDojo #AI

BrowseSafe arrives as a direct response to the Comet breach uncovered by Brave in August 2025, where hidden commands on web pages caused an AI assistant to act on unintended instructions. Perplexity claims a 91 percent detection rate for prompt‑injection attacks, outpacing PromptGuard‑2’s 35 percent and edging ahead of GPT‑5’s 85 percent. The system’s reported speed suggests it can operate in real‑time, a practical requirement for any browser‑based agent.

Yet the figures speak only to controlled tests; it is unclear whether the same success will translate to the chaotic, adversarial environments where attackers constantly evolve their tactics. The comparison with other models highlights a gap, but the absence of independent verification leaves the robustness of BrowseSafe open to question. If the detection rate holds under broader scrutiny, the tool could narrow a known vulnerability window. Until external audits confirm these results, the extent to which BrowseSafe will close the security gap remains uncertain.

Common Questions Answered

What vulnerability did Brave uncover in the Comet assistant in August 2025?

Brave identified an indirect prompt injection flaw where hidden commands embedded in web pages or comments were misinterpreted by the Comet AI assistant as user instructions. This allowed attackers to extract sensitive data such as email addresses and one‑time passwords during content summarization.

How does Perplexity's BrowseSafe safety layer address the Comet prompt‑injection issue?

BrowseSafe introduces a real‑time detection system that scans incoming prompts for hidden injection patterns, achieving a reported 91 percent detection rate for such attacks. By filtering malicious inputs before they reach the AI model, it aims to prevent the assistant from executing unintended commands.

How does BrowseSafe's detection performance compare to PromptGuard‑2 and GPT‑5?

Perplexity claims BrowseSafe detects 91 percent of prompt‑injection attempts, significantly higher than PromptGuard‑2's 35 percent and edging out GPT‑5's 85 percent detection rate. These figures suggest BrowseSafe offers a stronger defensive posture for browser‑based agents.

Why was Perplexity's previous single‑prompt architecture considered a security risk?

The earlier design relied on a single prompt that could be directly influenced by external content, making it vulnerable to indirect prompt injection attacks like those demonstrated in the Comet breach. Without additional safeguards, malicious actors could embed hidden commands that the AI would execute as if they were legitimate user instructions.

Further Reading

More in Business & Startups

Qwen3‑TTS‑Flash Review: Open TTS Model Excels at Dialects and Natural Speech

Chance AI targets India with visual Perplexity platform, student‑led rollout

Google's bundled search and AI crawlers gather three times OpenAI's data

Meta strikes AI licensing deals with CNN, Fox News, USA Today, People

Replit adds Vibe coding to Google Cloud, using Cloud Run, GKE, BigQuery

Common Questions Answered

What vulnerability did Brave uncover in the Comet assistant in August 2025?

How does Perplexity's BrowseSafe safety layer address the Comet prompt‑injection issue?

How does BrowseSafe's detection performance compare to PromptGuard‑2 and GPT‑5?

Why was Perplexity's previous single‑prompt architecture considered a security risk?

What vulnerability did Brave uncover in the Comet assistant in August 2025?