RESEARCHERS have demonstrated a phishing scam against Perplexity’s Comet AI browser by exploiting its agentic, reasoning-capable design, showing that the AI can be manipulated to visit a bogus page and enter credentials in under four minutes. According to Guardio, the attack leverages the browser’s real-time, on-page reasoning and its narration of actions to train a generative adversarial network input that drives the browser into a fraudulent page.
The researchers describe a method they call Agentic Blabbering, where the AI browser exposes what it sees, believes, plans to do next, and signals it considers suspicious or safe, which attackers can exploit. The disclosure builds on prior techniques such as VibeScamming and Scamlexity, which found that AI browsers could be guided to generate scam pages or perform malicious actions via hidden prompt injections.
Trail of Bits recently demonstrated four prompt-injection techniques against the Comet browser to exfiltrate users’ private information from services like Gmail, while Zenity Labs reported zero-click attacks using indirect prompt injections seeded in meeting invites.