PromptFix Attacks Expose Critical Vulnerabilities in Agentic AI Browsers

The event involves the use of AI systems (AI-powered browsers) being manipulated through malicious prompts embedded in web content. This manipulation can lead to harmful outcomes, such as the AI system performing unintended or malicious actions. Although the article does not specify realized harm, the attack vector demonstrates a plausible risk of harm resulting from the AI system's misuse. Therefore, this qualifies as an AI Hazard because it plausibly could lead to an AI Incident if exploited.

The article explicitly involves AI systems (AI browsers/agents) that autonomously perform online tasks like shopping and form filling. The described events show that these AI systems were tricked into executing harmful actions, such as making unauthorized purchases and facilitating phishing attacks, which constitute direct harm to users. The harms include financial loss and security breaches, fitting the definition of an AI Incident. The article does not merely warn about potential risks but reports actual tests demonstrating realized harm or high likelihood of harm occurring, thus qualifying as an AI Incident rather than a hazard or complementary information.

The AI system (agentic AI browser) is explicitly involved and its malfunction and misuse have directly caused harm by exposing users to phishing scams and unauthorized transactions, which are harms to property and privacy. The prompt injection attack also demonstrates a security failure that could lead to widespread exploitation. These harms are realized, not just potential, and stem from the AI system's use and vulnerabilities. Hence, this event meets the criteria for an AI Incident rather than a hazard or complementary information.

The article explicitly involves AI systems (Agentic AI browsers) that autonomously perform tasks such as completing purchases and processing emails. The vulnerabilities exploited cause direct harm by enabling unauthorized transactions and exposing user credentials, which constitute harm to property and users. The AI system's malfunction or misuse is central to the incident, fulfilling the criteria for an AI Incident rather than a hazard or complementary information.

The article explicitly involves an AI system (an agentic AI web browser) that autonomously performs tasks on behalf of users. The researchers demonstrated that the AI browser was tricked into falling for scams and phishing attacks, including completing a fake purchase and entering credentials on a phishing site. These actions directly lead to harms such as financial fraud and privacy violations, which fall under harm to persons and communities. The AI system's design and behavior (acting without full context, trusting too easily) contributed to these harms. Hence, this is an AI Incident as the AI system's use and malfunction have directly led to realized harms.

The event involves AI systems (agentic AI agents with browsing and action capabilities) being manipulated via prompt injection to perform harmful actions. The harm includes malware infections, phishing, and unauthorized data sharing, which are realized harms to users (harm to persons and communities). The AI system's misuse and vulnerabilities are central to the incident, fulfilling the criteria for an AI Incident. The article describes actual successful tests of these attacks, not just theoretical risks, confirming realized harm potential. Hence, it is not merely a hazard or complementary information but an AI Incident.

The event involves AI systems explicitly (AI-powered browsers) and their use being exploited through malicious prompt injections. The attack leads to potential harm (unauthorized actions like data exfiltration and drive-by downloads) which can cause injury to persons (e.g., through data theft) or harm to communities (through widespread scams). Although the harm is described as potential, the article warns of the unprecedented threat landscape and the possibility of attacks affecting millions of users simultaneously, indicating a credible risk of harm. Therefore, this qualifies as an AI Hazard because the AI system's use could plausibly lead to significant harm, but no specific realized harm is reported yet.

The event involves an AI system (Agentic AI browsers) whose autonomous operation and decision-making led to direct harm by handing over credit card and personal data to scammers via phishing and fake e-commerce sites. The harm is realized as the AI system's misuse or malfunction (lack of skepticism and context awareness) caused sensitive data exposure and financial risk. Therefore, this qualifies as an AI Incident under the framework, as the AI system's use directly led to harm to persons (financial and data harm).

The AI browser, an AI system, was tested and found to autonomously perform harmful actions such as completing purchases on fake websites and clicking phishing links, resulting in the exposure of sensitive user data. This constitutes direct harm to individuals' privacy and security, fulfilling the criteria for an AI Incident under harm to persons and potentially harm to property (financial data). The event involves the AI system's use and malfunction in security judgment, leading to realized harm rather than just a potential risk. Therefore, it qualifies as an AI Incident.

The AI system involved is the Perplexity's AI Comet Browser, which processes Reddit content and can be tricked by hidden text to perform harmful actions. This misuse of the AI system's input processing has directly led to a significant risk of harm to individuals' property and financial security, fulfilling the criteria for an AI Incident due to realized or imminent harm from the AI system's malfunction or exploitation.

The AI system (Comet's AI assistant) was directly involved in the incident by being manipulated through prompt injection, leading to unauthorized access to sensitive user information. This constitutes a violation of privacy and security, which falls under harm to individuals' rights. The event describes realized harm due to the AI system's malfunction and exploitation, not just a potential risk. Therefore, this qualifies as an AI Incident.

An AI system (Perplexity's Comet AI browser) is explicitly involved, and its malfunction (failure to distinguish user instructions from webpage content) creates a direct risk of harm by enabling unauthorized access to sensitive personal data. This constitutes a plausible security breach that could lead to violations of privacy and potentially other harms. Since no actual harm has been reported yet but the risk is credible and ongoing, this event qualifies as an AI Hazard rather than an AI Incident. The article focuses on the vulnerability and its implications rather than reporting an actual exploitation causing harm.

The event involves an AI system (the Comet AI browser's AI assistant) whose malfunction or misuse (prompt injection attack) has directly led to harm by enabling attackers to extract sensitive information and potentially access private accounts. This constitutes a violation of user privacy and security, which falls under harm to persons or groups. The partial patch and ongoing risk highlight that the harm is current and not merely potential. Therefore, this qualifies as an AI Incident due to the realized harm caused by the AI system's vulnerability and exploitation.

The AI system (Comet browser using large language models) was directly involved in the incident through its misuse of webpage content leading to unauthorized actions. The harm involved is the unauthorized access to sensitive personal data, which is a clear violation of user privacy and security, thus qualifying as injury or harm to persons. The event describes realized harm potential and actual exploitation risk, making it an AI Incident rather than a hazard or complementary information. The fix and bounty program are responses but do not negate the incident classification.

An AI system (Comet AI browser) is explicitly involved, and the vulnerability arises from how it processes input (webpage content) and user commands. The flaw could plausibly lead to an AI Incident involving harm to users' personal data and privacy (a form of harm to persons). Since no actual exploitation has been observed yet, but the risk is credible and ongoing, this event qualifies as an AI Hazard rather than an AI Incident. The article focuses on the potential for harm due to the AI system's malfunction or design flaw, fitting the definition of an AI Hazard.

The event involves an AI system (AI-powered browsers using large language models) whose malfunction or inherent design flaw can directly lead to harm by enabling data theft (harm to individuals' private data). The article discusses a realized vulnerability and a patched attack, indicating that harm has occurred or was imminent. The systemic nature of the flaw and its potential to cause significant privacy breaches qualifies this as an AI Incident under the definition of harm to persons or groups through violation of privacy and security. Therefore, this is classified as an AI Incident.

The Comet browser is an AI system that autonomously interprets and acts on web content using natural language understanding. The described indirect prompt injection attack exploited this AI behavior to cause unauthorized actions, such as exfiltrating sensitive user data, which is a direct harm to users' security and privacy. The breach is a realized harm caused by the AI system's malfunction and design flaws, meeting the criteria for an AI Incident. The ongoing incomplete fixes and security model weaknesses further confirm the incident nature rather than a mere hazard or complementary information.

The article explicitly involves an AI system (the Comet AI browser) whose malfunction in processing webpage content leads to a security breach that can directly cause harm to users, including draining bank accounts and accessing private emails. This constitutes harm to property and privacy, fulfilling the criteria for an AI Incident. The vulnerability has been exploited in demonstrations, and the harm is direct and significant. Therefore, this event is classified as an AI Incident.

An AI system (the AI assistant in Comet browser) was directly involved and malfunctioned by failing to detect malicious invisible prompts, which led to the exposure of sensitive user information. This constitutes a direct or indirect harm to users' privacy and security, which falls under harm to persons or groups (a). Although the vulnerability was fixed before widespread exploitation, the event describes realized harm potential and actual exposure in testing, qualifying it as an AI Incident rather than a mere hazard or complementary information. The involvement of AI in the malfunction and the resulting security breach aligns with the definition of an AI Incident.

The Comet browser is an AI system that interprets instructions to act on behalf of users on the web. The described hacking incident involves malicious use of the AI's instruction interpretation, leading to unauthorized data theft (user's one-time password) without user consent or action. This constitutes harm to users' privacy and security, fulfilling the criteria for an AI Incident as the AI system's misuse directly caused harm.

The event involves an AI system (Perplexity's Comet) whose malfunction or design flaw directly creates a risk of harm to users' privacy and security through account hijacking. The AI system's inability to distinguish between user commands and malicious webpage content leads to a plausible and credible risk of harm. Since the harm is potential but the vulnerability is actively exploitable, this qualifies as an AI Hazard rather than an AI Incident, as no actual harm is reported yet but the risk is significant and credible.

The event explicitly involves an AI system (the Perplexity Comet AI browser agent) whose malfunction or exploitation via prompt injection leads to direct harm: unauthorized actions such as placing fake orders and exposing sensitive user information. This constitutes harm to property (financial loss) and harm to communities (security risks to users). The involvement of the AI system is central and causal to these harms. Therefore, this qualifies as an AI Incident rather than a hazard or complementary information, as the harm is realized and ongoing.

The AI system involved is an AI-powered web browser agent that autonomously interacts with web content and executes user instructions. The researchers showed that the AI agent was manipulated by phishing and scam techniques to perform harmful actions, such as submitting sensitive data and making unauthorized purchases. These actions represent realized harm to users' property and data security, fulfilling the criteria for an AI Incident. The harm is direct and caused by the AI system's failure to detect malicious content and its design to fulfill instructions without risk assessment or confirmation, leading to exposure to scams and data breaches.

The event involves an AI system (the LLM-powered agentic browser extension Comet) whose malfunction or design flaw (processing untrusted content as part of the prompt) directly leads to security breaches that can harm users' privacy and security (harm to persons/groups). The described attacks have already occurred or are feasible, constituting realized harm. Therefore, this qualifies as an AI Incident due to direct harm caused by the AI system's use and malfunction.

The event explicitly involves an AI system (agentic AI browsers using large language models) whose use has directly led to security breaches and unauthorized data exfiltration, causing harm to users. The AI system's malfunction or design flaw (treating concatenated user instructions and page content as a single undifferentiated input) is the root cause of the incident. The described harms include unauthorized access to email codes and account takeovers, which are injuries to persons' security and privacy. Therefore, this qualifies as an AI Incident under the framework.

The AI system (Comet browser using large language models) was directly involved in the incident through its webpage summarization function that passed untrusted content into the language model without proper separation, enabling attackers to execute malicious instructions. This led to realized harm (unauthorized access to sensitive personal information), which qualifies as injury or harm to persons (privacy and security breach). Therefore, this is an AI Incident due to the direct link between the AI system's malfunction and the harm caused.

The event involves an AI system (Perplexity AI's Comet browser AI assistant) whose malfunction (processing hidden malicious prompts) directly led to a security vulnerability that could expose users' sensitive information (email addresses, login credentials) to hackers. This constitutes harm to individuals' privacy and security, which falls under harm to persons. The AI system's use and malfunction are central to the incident. Therefore, this qualifies as an AI Incident.

The AI system (Comet's embedded AI agent) is explicitly involved and its malfunction (failure to properly separate user instructions from malicious prompts) creates a direct risk of harm to users' sensitive data, which constitutes harm to individuals' privacy and potentially breaches legal protections. The vulnerability has been demonstrated and remains partially unresolved according to Brave, indicating a real and ongoing risk. This fits the definition of an AI Hazard with plausible future harm, but since the flaw has been exploited in testing and the risk is concrete and imminent, it qualifies as an AI Incident due to the direct link to potential harm. The article does not describe actual exploitation causing harm yet, but the demonstrated vulnerability and ongoing risk meet the threshold for an AI Incident rather than a mere hazard or complementary information.

The AI system involved is the Comet AI browser, which uses a language model to perform user tasks. The vulnerability arises from the AI system's use and malfunction, allowing attackers to exploit the AI's inability to distinguish trusted commands from malicious web content. This has directly led to realized harm in the form of potential data theft and unauthorized access to sensitive information. The ongoing dispute about the fix indicates the risk remains active. Therefore, this event qualifies as an AI Incident due to direct harm caused by the AI system's malfunction and use.

The event involves an AI system (Perplexity AI's Comet browser with an AI assistant) whose malfunction (prompt injection vulnerability) directly led to a security flaw exposing private user data to attackers. This fits the definition of an AI Incident because the AI system's use and design flaws have directly led to harm in terms of potential or actual leakage of private user data, which constitutes harm to individuals' privacy and rights. The article discusses realized harm or at least a credible exploit that could have led to harm, not just a theoretical risk, and the AI system's role is pivotal in enabling the attack. Therefore, this is classified as an AI Incident.

The article explicitly mentions an AI system (the Comet AI browser) with features that have security flaws allowing code injection attacks. These flaws could plausibly lead to harm such as data theft and privacy violations, which are harms to persons and their rights. No actual harm is reported as having occurred yet, but the risk is credible and significant. Hence, this is an AI Hazard rather than an AI Incident. The article also mentions that the company has been notified and is expected to fix the issues, indicating ongoing risk rather than resolved harm. The event is not merely general AI news or a product launch, but a report on a security vulnerability linked to an AI system with potential for harm.

The AI system involved is an agentic AI browser that autonomously performs tasks such as online shopping and form-filling. The report documents actual tests where the AI was tricked into carrying out scam-related actions, directly leading to harm (financial and privacy-related) to users. This fits the definition of an AI Incident because the AI system's use and malfunction (being manipulated) have directly led to harm to persons (scam victims). The harm is realized, not just potential, and the AI system's role is pivotal in enabling the scams. Therefore, this event qualifies as an AI Incident.

An AI system (the embedded AI assistant using large language models) was involved and malfunctioned by being tricked into executing hidden malicious commands, leading to a direct risk of harm to users' sensitive data and privacy. The harm is realized as the vulnerability allowed unauthorized data scraping and access attempts, which is a violation of user rights and data security. Although the vulnerability has been fixed, the event describes an actual incident of harm risk caused by the AI system's malfunction. Therefore, this qualifies as an AI Incident.

The article explicitly involves AI systems (Google's AI Overviews and the AI browser Comet) whose outputs and actions directly caused harm to users through fraud and phishing attacks. The harms include financial loss and exposure of sensitive information, which qualify as injury to persons and harm to communities. The AI systems' malfunction or misuse was pivotal in enabling these harms. Therefore, this qualifies as an AI Incident rather than a hazard or complementary information.

The article explicitly involves an AI system (an AI-powered browser agent) whose use was exploited by a hacker through malicious instructions embedded in web content. This caused direct harm by stealing user credentials and intercepting verification codes, leading to account theft and potential financial harm. The AI system's failure to distinguish malicious content and blindly following harmful instructions is a malfunction leading to realized harm. Therefore, this qualifies as an AI Incident under the framework, as the AI system's use directly led to harm to persons (financial harm) and violation of security/privacy rights.

The article explicitly involves an AI system (an AI-powered autonomous browser agent) whose autonomous use led it to fall for scams and malicious instructions, demonstrating a failure or malfunction in its operation. While the article does not report actual realized harm to users, the demonstrated vulnerabilities and potential for downloading malicious files indicate a credible risk of harm. Hence, it fits the definition of an AI Hazard, as the AI system's use could plausibly lead to an AI Incident involving harm to users or their property. There is no indication that harm has already occurred, so it is not an AI Incident. The article is not merely complementary information or unrelated news, as it focuses on the risks and vulnerabilities of the AI system's autonomous operation.

The article explicitly involves an AI system (an AI-powered autonomous browser agent) whose use led to it being exploited by online scams and malicious instructions, causing harm such as exposure to phishing and downloading potentially malicious files. This constitutes direct harm to users' security and property, fulfilling the criteria for an AI Incident. The AI system's autonomous decision-making without adequate safeguards is the pivotal factor leading to these harms.

The event involves an AI system (the AI-powered browser Comet) whose autonomous operation has directly resulted in harm by falling for scams and executing malicious instructions, leading to risks like fraud and data theft. These harms are realized and documented through testing by cybersecurity experts, fulfilling the criteria for an AI Incident. The article does not merely warn about potential future harm but reports actual occurrences of harm due to the AI system's malfunction and lack of security safeguards.