Recent threat research is showing that emerging agentic AI browsers can unpredictably reshape and exacerbate the already-fraught cybersecurity threat landscape.

Researchers have discovered a hidden Model Context Protocol (MCP) API within the newly launched Perplexity Comet browser.  

The flaw enables arbitrary local command execution — something that traditional browsers strictly prohibit. This means that if a threat actor compromises Perplexity’s website, they could use the browser’s agentic extension to run malicious code on user machines, potentially triggering notorious malware with only minor exploitation steps.

The risk extends beyond conventional credential theft: attackers can sideload spoofed extensions or use network attacks, phishing, or insider threats to gain control, making the attack vectors unprecedented in their reach.​

Prompt injection: a new abuse mechanism

Separately, investigations into the new AI-driven browser have uncovered an attack technique dubbed “CometJacking”. By embedding malicious prompts within a specially crafted URL — sent via phishing, or dropped onto a web page — attackers can flip the Comet browser from helpful assistant to data theft tool:

  • Instead of credential harvesting, these attacks exploit the browser’s AI agent, which already has authorized access to many popular collaboration apps and services.
  • The malicious instructions, inserted as query parameters, allow attackers to exfiltrate sensitive personal or business data with a single click.
  • Simple obfuscation techniques such as Base64 encoding can be used to trick the browser into bypassing built-in protections.

Takeaway lessons on agentic AI browsers

The findings reveal that agentic AI browsers interpret and act on natural language commands, meaning attackers no longer need to use traditional malware or rely on tricking the human user directly.

The AI itself can be tricked through indirect prompt injections embedded in places such as Reddit spoiler tags. Researcher assert that there are insufficient barriers between user prompts and untrusted page content; poor alignment checks to prevent unintended operations; and inadequate confirmation steps for sensitive actions. To wit, even after Perplexity issued a fix for their browser, independent retesting have found that vulnerabilities persist

Experts warn that the entire concept of agentic browsing is reshaping the cybersecurity threat landscape. AI-native tools open novel attack vectors that bypass familiar web controls. Closed proprietary systems make it difficult for outside experts to verify security improvements or patch efficacy.

As enterprise adoption of AI browsers accelerates, organizations will need to urgently develop mechanisms to detect and neutralize malicious agent prompts — underscoring that “trust” is now the hardest problem to engineer for the next generation of browsing solutions.