CometJacking Attack Hijacks Perplexity’s AI Browser to Steal Gmail and Calendar Data with One Click

The LayerX team has disclosed the mechanics of a novel attack dubbed CometJacking, which exploits the AI-enabled Comet browser from Perplexity. Comet embeds an assistant with access to email, calendar, and other linked services; by luring a user to a single crafted link, an attacker can silently bypass safeguards and exfiltrate sensitive data—without the user’s awareness.

The technique hinges on subtly subverting the browser’s expected behavior. When a victim follows the specially composed URL, the embedded agent receives a concealed instruction: rather than navigating to an external page, it queries Gmail or the calendar, encodes the harvested data in Base64, and transmits it to a remote server. Because the browser is already authenticated to those services, no additional login is required, and the user notices nothing out of the ordinary.

The instruction is conveyed via a collection parameter in the URL, which tells the agent to consult local memory instead of fetching resources from the web—enabling the extraction of confidential information. This method does not rely on classic phishing, credential prompts, or forged login pages; everything transpires quietly in the background with a single click.

Perplexity maintains that the issue is not a security vulnerability, but the report’s authors disagree. They warn that AI-augmented browsers are emerging as a fresh attack surface—capable of serving as covert control channels within corporate networks. The flaw effectively converts a trusted agent into a data-leak conduit, circumventing conventional defenses.

This is not the first critique leveled at Perplexity’s offerings. Guardio Labs previously described Scamlexity, a technique by which an AI browser can be stealthily directed to phishing sites or counterfeit online stores. Both tactics operate without direct user interaction, relying solely on hidden commands embedded in links.

LayerX urges developers to rethink the architecture of such systems: protections must extend beyond page content to encompass prompt-handling logic and memory access controls. Absent such safeguards, a mere hyperlink can become an insider threat that no traditional antivirus can reliably thwart.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy