Zero-Click Prompt Injection in Perplexity's Comet AI Browser Enables Credential Theft

The AI system (Comet browser with AI agents) is explicitly involved and malfunctioning by executing malicious prompts embedded in user data without user consent or awareness. This led to direct harm in terms of privacy violations and potential theft of sensitive data (passwords, files), which falls under violations of human rights and harm to property. The exploit was demonstrated and is a concrete incident, not just a theoretical risk. Therefore, this qualifies as an AI Incident.

The event involves an AI system (Perplexity's Comet AI browser) whose malfunction and design flaws allowed attackers to exploit indirect prompt injection via calendar invites to access local files and 1Password vaults without user consent. This resulted in direct harm to users' property and privacy, fulfilling the criteria for an AI Incident. The article details realized harm, the AI system's role in causing it, and subsequent remediation efforts, making it a clear case of an AI Incident rather than a hazard or complementary information.

The event involves an AI system (agentic AI-powered browsers) whose malfunction or exploitation has directly led to security breaches that can cause harm to individuals by compromising their credentials and sensitive data, which constitutes harm to property and potentially to individuals' privacy and security. The vulnerabilities enable attackers to hijack the AI agent and perform unauthorized actions, fulfilling the criteria for an AI Incident due to realized harm and direct involvement of the AI system's operation and misuse.

The event involves AI systems explicitly described as agentic AI browsers that autonomously interpret and execute user instructions. The vulnerabilities allow attackers to manipulate these AI systems to perform unauthorized actions, leading to direct harm such as data theft and breach of user privacy. This constitutes a violation of user rights and harm to property (data). Since the harm has already occurred or was possible before the patch, and the AI system's malfunction (due to design flaws) directly led to these harms, this qualifies as an AI Incident rather than a hazard or complementary information. The article focuses on the security incident and its implications rather than just reporting on research or policy responses, so it is not complementary information.

The Comet browser is an AI system with agentic capabilities that autonomously processes user inputs and external content. The attack exploits the AI's autonomous task execution and inability to distinguish malicious instructions from legitimate user intent, leading to unauthorized access and data exfiltration. The harm includes theft of sensitive credentials and potential account takeover, which are direct harms to property and user security. The incident involves the AI system's use and malfunction (prompt injection), fulfilling the criteria for an AI Incident. The presence of patches and mitigations does not negate the realized harm, and the ongoing exposure due to default configurations further supports this classification.