Zero-Click Prompt Injection in Perplexity's Comet AI Browser Enables Credential Theft

The AI system (Comet browser with AI agents) is explicitly involved and malfunctioning by executing malicious prompts embedded in user data without user consent or awareness. This led to direct harm in terms of privacy violations and potential theft of sensitive data (passwords, files), which falls under violations of human rights and harm to property. The exploit was demonstrated and is a concrete incident, not just a theoretical risk. Therefore, this qualifies as an AI Incident.

The event involves an AI system (Perplexity's Comet AI browser) whose malfunction and design flaws allowed attackers to exploit indirect prompt injection via calendar invites to access local files and 1Password vaults without user consent. This resulted in direct harm to users' property and privacy, fulfilling the criteria for an AI Incident. The article details realized harm, the AI system's role in causing it, and subsequent remediation efforts, making it a clear case of an AI Incident rather than a hazard or complementary information.

The event involves an AI system (agentic AI-powered browsers) whose malfunction or exploitation has directly led to security breaches that can cause harm to individuals by compromising their credentials and sensitive data, which constitutes harm to property and potentially to individuals' privacy and security. The vulnerabilities enable attackers to hijack the AI agent and perform unauthorized actions, fulfilling the criteria for an AI Incident due to realized harm and direct involvement of the AI system's operation and misuse.

The event involves AI systems explicitly described as agentic AI browsers that autonomously interpret and execute user instructions. The vulnerabilities allow attackers to manipulate these AI systems to perform unauthorized actions, leading to direct harm such as data theft and breach of user privacy. This constitutes a violation of user rights and harm to property (data). Since the harm has already occurred or was possible before the patch, and the AI system's malfunction (due to design flaws) directly led to these harms, this qualifies as an AI Incident rather than a hazard or complementary information. The article focuses on the security incident and its implications rather than just reporting on research or policy responses, so it is not complementary information.

The Comet browser is an AI system with agentic capabilities that autonomously processes user inputs and external content. The attack exploits the AI's autonomous task execution and inability to distinguish malicious instructions from legitimate user intent, leading to unauthorized access and data exfiltration. The harm includes theft of sensitive credentials and potential account takeover, which are direct harms to property and user security. The incident involves the AI system's use and malfunction (prompt injection), fulfilling the criteria for an AI Incident. The presence of patches and mitigations does not negate the realized harm, and the ongoing exposure due to default configurations further supports this classification.

The vulnerabilities affect AI systems (agentic browsers) and enable attackers to exploit these systems to cause harm, including unauthorized access to files and credential theft, which constitute harm to individuals' security and privacy. Since the AI system's malfunction or exploitation directly leads to these harms, this qualifies as an AI Incident under the framework.

The AI system (Perplexity's Comet AI browser) is explicitly involved as it autonomously interprets instructions and acts on behalf of users. The vulnerability allowed attackers to exploit this AI behavior to access local files and credentials, constituting a violation of privacy and potentially human rights related to data protection. The harm (unauthorized access to files and credentials) has directly occurred due to the AI system's malfunction and misuse. Therefore, this qualifies as an AI Incident under the definitions provided.

The article explicitly involves AI systems—agentic AI-powered browsers—that autonomously interpret and execute instructions. The vulnerability arises from the AI's misuse of its autonomy, leading to unauthorized access to sensitive files and credentials, which is a clear harm to property and privacy. The harm is realized, not just potential, as researchers demonstrated data exfiltration and credential theft. The AI system's malfunction or design flaw is pivotal in enabling these attacks. Hence, this event meets the criteria for an AI Incident rather than a hazard or complementary information.

The event involves an AI system (Perplexity's Comet browser agent) whose malfunction and exploitation have directly caused harm by enabling data theft and credential compromise. The attack exploits the AI's handling of input data, leading to unauthorized access to sensitive files and password vaults, which is a violation of user rights and harms property (data). This fits the definition of an AI Incident because the AI system's malfunction and use have directly led to significant harm. The detailed description of realized harm and the direct causal role of the AI system confirm this classification.

The event involves an AI system (agentic AI browsers) and discusses flaws that could be exploited to cause harm such as data theft and credential compromise. Since the article focuses on the potential exploitation of these vulnerabilities and the inherent risks in such AI systems, but does not report actual incidents of harm, it fits the definition of an AI Hazard. The vulnerabilities could plausibly lead to an AI Incident if exploited, but as of the report, harm is potential rather than realized.